Software  Engineering  Institute 
Carnegie  Mellon  University 


The  Critical  Role  of  Positive  Incentives 
for  Reducing  Insider  Threats 


CERT  Division  Staff 

Andrew  P.  Moore 
Samuel  J.  Perl 
Jennifer  Cowley 
Matthew  L.  Collins 
Tracy  M.  Cassidy 
Nathan  VanHoudnos 

SEI  Director’s  Office 

Palma  Buttles 


December  2016 


SEI  Human  Resources 

Daniel  Bauer 
Allison  Parshall 
Jeff  Savinda 

SEI  Organizational  Effectiveness  Group 

Elizabeth  A.  Monaco 
Jamie  L.  Moyes 

CMU  Heinz  College  and  Tepper  School  of 
Business 

Denise  M.  Rousseau 


TECHNICAL  REPORT 

CMU/SEI-201 6-TR-01 4 

CERT  Division 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


http://www.sei.cmu.edu 


Copyright  2016  Carnegie  Mellon  University 


This  material  is  based  upon  work  funded  and  supported  by  the  Department  of  Defense  under  Contract 
No.  FA8721-05-C-0003  with  Carnegie  Mellon  University  for  the  operation  of  the  Software  Engineer¬ 
ing  Institute,  a  federally  funded  research  and  development  center. 

Any  opinions,  findings  and  conclusions  or  recommendations  expressed  in  this  material  are  those  of  the 
author(s)  and  do  not  necessarily  reflect  the  views  of  the  United  States  Department  of  Defense. 

This  report  was  prepared  for  the 
SEI  Administrative  Agent 
AFLCMC/PZM 

20  Schilling  Circle,  Bldg.  1305,  3rd  floor 
Hanscom  AFB,  MA  01731-2125 

NO  WARRANTY.  THIS  CARNEGIE  MELLON  UNIVERSITY  AND  SOFTWARE  ENGINEERING 
INSTITUTE  MATERIAL  IS  FURNISHED  ON  AN  “AS-IS”  BASIS.  CARNEGIE  MELLON 
UNIVERSITY  MAKES  NO  WARRANTIES  OF  ANY  KIND,  EITHER  EXPRESSED  OR  IMPLIED, 
AS  TO  ANY  MATTER  INCLUDING,  BUT  NOT  LIMITED  TO,  WARRANTY  OF  FITNESS  FOR 
PURPOSE  OR  MERCHANTABILITY,  EXCLUSIVITY,  OR  RESULTS  OBTAINED  FROM  USE 
OF  THE  MATERIAL.  CARNEGIE  MELLON  UNIVERSITY  DOES  NOT  MAKE  ANY 
WARRANTY  OF  ANY  KIND  WITH  RESPECT  TO  FREEDOM  FROM  PATENT,  TRADEMARK, 
OR  COPYRIGHT  INFRINGEMENT. 

[Distribution  Statement  A]  This  material  has  been  approved  for  public  release  and  unlimited  distribu¬ 
tion.  Please  see  Copyright  notice  for  non-US  Government  use  and  distribution. 

Internal  use:*  Permission  to  reproduce  this  material  and  to  prepare  derivative  works  from  this  material 
for  internal  use  is  granted,  provided  the  copyright  and  “No  Warranty”  statements  are  included  with  all 
reproductions  and  derivative  works. 

External  use:*  This  material  may  be  reproduced  in  its  entirety,  without  modification,  and  freely  distrib¬ 
uted  in  written  or  electronic  form  without  requesting  formal  permission.  Permission  is  required  for  any 
other  external  and/or  commercial  use.  Requests  for  permission  should  be  directed  to  the  Software  En¬ 
gineering  Institute  at  permission@sei.cmu.edu. 

*  These  restrictions  do  not  apply  to  U.S.  government  entities. 

Carnegie  Mellon®  and  CERT®  are  registered  marks  of  Carnegie  Mellon  University. 

DM-0004289 


Copyright  2016  Carnegie  Mellon  University 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


Table  of  Contents 


Acknowledgments  iv 

Executive  Summary  v 

Abstract  vii 

1  Introduction  1 

1.1  Research  Context  2 

1 .2  Overview  of  the  Report  4 

2  Incident  Analysis  5 

2.1  Method  5 

2.2  Incident  Analysis  Results  6 

3  Organizational  Survey  8 

3.1  Background  8 

3.2  Method  10 

3.2.1  Survey  and  Other  Materials  10 

3.2.2  Sampling  12 

3.2.3  Recruitment  Procedure  12 

3.2.4  Analysis  Procedure  13 

3.3  Results  13 

4  Model  of  the  Problem  16 

4.1  Method  16 

4.2  The  Model  17 

4.3  Model  Settings  19 

4.4  Model  Execution  19 

5  Positive  Incentive-Based  Principles  and  Practice  Areas  25 

5.1  Hiring  the  Right  Staff  27 

5.2  Perceived  Organizational  Support  28 

5.3  Sociocultural  Considerations  33 

6  Conclusions  and  Future  Work  35 

Appendix  A  Research  Landscape  37 

Appendix  B  Scales  Used  in  Incident  Coding  39 

Appendix  C  Survey  Components  42 

Appendix  D  Positive  Incentive-Based  Principles  and  Practice  Areas  45 

Bibliography  47 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


List  of  Figures 

Figure  1 :  Insider  Threat  Defense  Options  1 

Figure  2:  Overview  of  the  Five-Point  Scales  for  Interest  Alignment  5 

Figure  3:  Incident  Analysis  Overview  6 

Figure  4:  Over  Time  Behavior  Along  Three  Dimensions  7 

Figure  5:  Negative  Correlation  Between  Perceived  Organizational  Support  and  Insider 

Misbehavior  14 

Figure  6:  Negative  Correlation  Between  Organizational  Justice  and  Insider  Misbehavior  14 

Figure  7:  System  Dynamics  Notation  16 

Figure  8:  Core  Stocks  and  Flows  in  the  Organizational  Context  17 

Figure  9:  Emerging  Physics  of  Organization  Dissatisfaction  and  the  Disgruntled  Insider  18 

Figure  10:  Employee  Satisfaction  Levels  20 

Figure  1 1 :  Employee  Classification  Levels  20 

Figure  12:  Individuals  Responsible  for  Insider  Threat  Incidents  21 

Figure  13:  Sensitivity  Simulation  Results  on  Insider  Threat  Incidents  22 

Figure  14:  Model  Extension  to  Estimate  Potential  Cost  Savings  23 

Figure  15:  Decrease  in  Yearly  Costs  Due  to  Satisfaction  Improvement  24 

Figure  16:  Extending  the  Traditional  Information  Security  Paradigm  25 

Figure  17:  Taxonomy  of  Positive  Incentive  Workforce  Management  Practice  Areas  26 

Figure  18:  Factors  Involved  in  Hiring  the  Right  Staff  27 

Figure  19:  Factors  Involved  in  Organizational  Justice  28 

Figure  20:  Factors  Involved  in  Adequate  Rewards  and  Recognition  29 

Figure  21 :  Factors  Involved  in  Effective  Communication  30 

Figure  22:  Factors  Involved  in  Supportive  Management  31 

Figure  23:  Factors  Involved  in  Effective  Working  Conditions  32 

Figure  24:  Research  Landscape  37 

Figure  25:  Perceived  Organizational  Support  Scale  39 

Figure  26:  Job  Engagement  Scale  40 

Figure  27:  Connectedness  with  Co-Workers  Scale  41 

Figure  28:  Taxonomy  of  Positive  Incentive  Workforce  Management  45 

Figure  29:  Positive  Incentive-Based  Practice  Areas  46 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


Acknowledgments 


The  authors  are  very  grateful  to  the  SEI  Director’s  Office  for  its  support  in  making  this  research  a 
truly  multi-disciplinary  effort  of  researchers  and  practitioners  across  the  SEI.  The  authors  would 
also  like  to  thank  members  of  the  SEI  Software  Solutions  Division:  Dr.  David  Zubrow  for  his  help 
in  developing  our  research  design  and  William  Novak  for  help  in  identifying  and  documenting 
negative  unintended  consequences  of  insider  threat  programs.  Special  thanks  to  the  Open  Source 
Insider  Threat  (OSIT)  Information  Sharing  Group  for  their  responses  to  our  survey.  Finally,  we 
thank  Sandra  Shram  and  Barbara  White  for  their  excellent  technical  editing  of  this  report. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  iv 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


Executive  Summary 


Traditional  insider  threat  management  involves  practices  that  constrain  users,  monitor  their  be¬ 
havior,  and  detect  and  punish  misbehavior.  Such  negative  incentives  attempt  to  force  employees 
to  act  in  the  interests  of  the  organization  and,  when  relied  on  excessively,  can  result  in  negative 
unintended  consequences  that  exacerbate  the  threat. 

Positive  incentives  can  complement  traditional  practices  by  encouraging  employees  to  act  in  the 
interests  of  the  organization  either  extrinsically  (e.g.,  through  rewards  and  recognition)  or  intrinsi¬ 
cally  by  fostering  a  sense  of  commitment  to  the  organization,  the  work,  and  co-workers.  Instead 
of  solely  focusing  on  making  sure  employees  don’t  misbehave,  positive  incentives  create  a  work 
environment  where  employees  are  internally  driven  to  contribute  to  the  organization  only  in  posi¬ 
tive  ways.  Preliminary  evidence  suggests  that  positive  incentives  can  deter  insider  misbehavior  in 
a  constructive  way  from  the  outset  of  the  employee-organization  relationship  with  fewer  negative 
consequences  than  traditional  practices  alone. 

This  report  describes  the  results  of  an  internally  funded  exploratory  research  project  at  the  Soft¬ 
ware  Engineering  Institute  (SEI)  to  assess  the  potential  for  positive  incentives  to  complement  tra¬ 
ditional  practices  in  a  way  that  provides  a  better  balance  for  organizations’  insider  threat  pro¬ 
grams. 

We  believe  there  are  three  dimensions  along  which  we  can  positively  align  an  employee’s  inter¬ 
ests  with  their  employer’s  interests:  the  employee’s  job,  their  organization,  and  the  people  they 
work  with. 

•  Job  Engagement  involves  the  extent  to  which  employees  are  excited  by  and  absorbed  in  their 
work.  Strengths-based  management  and  professional  development  are  practices  known  to 
boost  employee  job  engagement.  Strengths-based  management  focuses  primarily  on  identify¬ 
ing  and  using  an  individual’s  personal  and  professional  strengths  in  managing  both  their  ca¬ 
reer  and  job  performance  [Buckingham  2009]. 

•  Perceived  Organizational  Support  involves  the  extent  to  which  employees  believe  their  or¬ 
ganization  values  their  contributions,  cares  about  their  well-being,  supports  their  socio-emo- 
tional  needs,  and  treats  them  fairly.  Here,  programs  promoting  flexibility,  work/family  bal¬ 
ance,  employee  assistance,  alignment  of  compensation  with  industry  benchmarks,  and 
constructive  supervision  that  attends  to  employee  needs  can  boost  perceived  organizational 
support. 

•  Connectedness  at  Work  involves  the  extent  to  which  employees  trust,  feel  close  to,  and 
want  to  interact  with  the  people  with  whom  they  work.  Practices  involving  team  building  and 
job  rotation  can  boost  employees’  sense  of  interpersonal  connectedness. 

There  has  been  extensive  previous  research  in  these  areas  that  demonstrate  their  value  in  terms  of 
employee  satisfaction,  commitment,  performance,  and  retention.  In  addition,  a  related  body  of  re¬ 
search  exists  that  helps  determine  the  value  of  these  dimensions  in  reducing  counterproductive 
work  behaviors  generally.  The  SEI’s  research  aims  to  bolster  the  evidence  that  interest-alignment 
practices  reduce  the  more  egregious  forms  of  cyber-related  insider  threat,  such  as  employee  infor¬ 
mation  theft  and  cyber  sabotage. 

CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  v 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


In  summary,  this  report  describes  our  research,  analysis,  and  results  in  several  areas: 

•  Analyzing  several  high-profile  insider  incidents  for  the  levels  of  job  engagement,  co-worker 
connectedness,  and  perceived  organization  support  evident  during  the  incident  timeline.  Per¬ 
ceived  organizational  support  was  found  to  be  low,  but  not  necessarily  in  the  extreme.  These 
incident  case  studies  suggested  focusing  on  organizational  support  in  our  survey  research. 

•  Conducting  a  survey  of  individuals  responsible  for  establishing  insider  threat  programs  in 
organizations.  Supporting  and  extending  previous  research,  we  found  a  negative  correlation 
between  perceived  organizational  support  and  intentional  (primarily  malicious)  counterpro¬ 
ductive  work  behaviors.  A  somewhat  weaker  negative  correlation  was  also  found  between  or¬ 
ganizational  justice  and  these  behaviors.  The  relationships  were  found  to  be  statistically  sig¬ 
nificant  at  the  95%  confidence  level.  However,  the  exploratory  nature  of  our  initial  analysis 
does  not  permit  us  to  generalize  this  relationship  to  the  larger  population  of  organizations. 

•  Developing  a  simulation  model  that  illustrates  the  value  of  positive  incentives.  We  developed 
a  system  dynamics  model  based  on  published  data  and  simple  (but  arguable)  assumptions 
showing  how  positive  incentives  can  increase  a  program’s  operational  efficiency  with  re¬ 
duced  investigative  costs  and  fewer  incidents  involving  disgruntled  or  exploitive  insiders.  Our 
incident  analysis  and  survey  work  provided  validation  of  the  simulation  model  structure.  We 
will  continue  to  calibrate  our  model  based  on  future  research  and  expect  to  demonstrate  simi¬ 
lar  benefits  as  our  work  progresses. 

Our  research  raises  many  questions  about  how  an  insider  threat  program  can  or  should  incorporate 
positive  incentives  that  improve  employees’  perceptions  of  support  by  the  organization.  In  addi¬ 
tion  to  research  to  understand  whether  the  surveyed  relationships  generalize  and  are  causal  in  na¬ 
ture,  our  future  work  will  focus  on  what  we  believe  to  be  the  key  to  a  successful  insider  threat 
program:  identifying  the  mix  of  positive  and  negative  incentives  that  creates  a  net  positive  for 
both  the  employee  and  the  organization. 

The  challenge  is  that  people  respond  to  incentives  differently  depending  on  the  culture  of  the  or¬ 
ganization,  the  nature  of  their  job,  and  their  personality.  Fortunately,  existing  theory  provides  in¬ 
sight  into  these  differences  and  can  illuminate  a  means  for  building  a  general  transition  process  to 
take  an  organization  from  its  current  state  to  one  that  has  a  balance  of  positive  and  negative  incen¬ 
tives  that  promotes  employee  satisfaction,  performance,  and  retention  while  also  being  more  ef¬ 
fective  at  reducing  the  insider  threat. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  vi 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


Abstract 


Traditional  insider  threat  practices  involve  negative  incentives  that  attempt  to  force  employees  to 
act  in  the  interests  of  the  organization  and,  when  relied  on  excessively,  can  result  in  negative  un¬ 
intended  consequences  that  exacerbate  insider  threats.  Positive  incentives  that  attempt  to  encour¬ 
age  employees  to  act  in  the  interests  of  the  organization  can  complement  negative  incentives.  In 
our  research,  we  identified  and  analyzed  three  avenues  for  aligning  the  interests  of  the  employee 
and  the  organization:  job  engagement,  perceived  organizational  support,  and  connectedness  with 
co-workers.  Based  on  an  analysis  of  three  insider  threat  incidents  and  an  exploratory  survey  of  or¬ 
ganizations,  we  developed  a  model  of  the  disgruntled  insider  threat  problem  as  it  relates  to  dissat¬ 
isfaction  with  the  employing  organization  and  the  potential  benefits  associated  with  positive  in¬ 
centives  that  improve  perceived  organizational  support  and  justice.  To  help  organizations 
understand  their  options  for  using  positive  incentives  as  part  of  their  insider  threat  program,  we 
outline  workforce  management  practices  to  improve  employees’  feelings  of  being  supported  by 
the  organization.  This  research  is  a  first  step  toward  creating  a  well-grounded  foundation  on 
which  insider  threat  programs  can  establish  a  more  balanced  and  effective  means  of  reducing  in¬ 
sider  threats,  one  that  is  a  net  positive  for  both  the  employee  and  the  organization. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


VII 


1  Introduction 


Traditional  guidance  regarding  how  to  defend  against  insider  threats  focuses  primarily  on  nega¬ 
tive  incentives,  which  constrain  employee  behavior  or  detect  and  punish  misbehavior.  These  tradi¬ 
tional  security  practices  are  necessary  to  reduce  insider  threats,  but  their  excessive  use  can  result 
in  counterproductive  constraints  on  employees’  actions,  overreliance  on  after-the-fact  responses 
that  fail  to  prevent  damage,  and  alienation  of  staff  that  can  exacerbate  insider  threats  [Moore 
2015], 

Fortunately,  traditional  practices  are  only  part  of  the  suite  of  management  practices  that  organiza¬ 
tions  have  available  to  reduce  insider  threats.  Figure  1  provides  an  abstract  view  of  the  spectrum 
of  insider  threat  countermeasures,  with  more  abstract  objectives  to  the  right  and  the  means  for 
achieving  them  to  the  left. 

The  bulk  of  insider  threat  research  has  focused  on  the  bottom  two  branches:  the  prevention,  detec¬ 
tion  of,  and  response  to  insider  misbehaviors.  Security  policies  and  technical  measures  provide 
negative  incentives  that  are  intended  to  prevent,  detect,  and  respond  to  insider  misbehavior.  Re¬ 
cent  research  has  focused  on  the  detection  of  at-risk  behaviors  of  insiders,  such  as  conflict  with 
co-workers  or  personal  indebtedness,  which  have  been  shown  to  be  pre-cursors  of  serious  insider 
threat  activity  (the  third  branch). 

The  research  described  in  this  report  involves  the  top  branch:  positive  incentives  as  a  means  to  re¬ 
duce  insider  threats  without  the  use  of  monitoring  and  detection  mechanisms.  Positive  incentives 
can  complement  traditional  practices  by  encouraging  employees  to  act  in  the  interests  of  the  or¬ 
ganization  either  extrinsically  (e.g.,  through  rewards  for  following  security  policies)  or  intrinsi¬ 
cally  by  fostering  a  sense  of  commitment  to  the  organization,  the  work,  and  co-workers. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


1 


A  few  forward-thinking  sources  make  the  case  that  positive  incentives  are  a  significant  missing 
aspect  of  insider  threat  defense  [Bunn  2014,  DSS  2016,  CPNI 2014,  Theoharidou  2005,  Sarbin 
1994].  Instead  of  solely  focusing  on  making  sure  employees  don’t  misbehave,  positive  incentives 
create  a  work  environment  where  employees  are  internally  driven  to  contribute  to  the  organization 
only  in  positive  ways.  This  approach  may  seem  idealistic,  but  there  is  a  solid  scientific  basis  for 
this  perspective.  Our  research  is  making  inroads  into  the  second  branch  of  Figure  1  by  elaborating 
conditions  within  organizations  that  are  conducive  to  insider  threat  and  a  means  for  transforming 
organizations  to  be  more  resistant  to  insider  threats.  Preliminary  evidence  suggests  that  positive 
incentives  can  deter  insider  misbehavior  in  a  constructive  way  from  the  outset  of  the  employee- 
organization  relationship.  In  combination  with  traditional  practices,  positive  incentives  offer  the 
possibility  of  a  more  balanced  and  constructive  organizational  approach  to  reducing  the  insider 
threat  with  fewer  negative  consequences. 

This  report  describes  the  results  of  a  research  effort  to  establish  and  model  the  influence  of  posi¬ 
tive  incentives  on  reducing  insider  threats.  For  U.S.  Government  organizations  and  their  contrac¬ 
tors  that  handle  classified  information,  Executive  Order  13587  requires  establishing  formal  insider 
threat  programs.  Many  non-governmental  organizations  are  also  establishing  insider  threat  pro¬ 
grams  as  a  means  to  reduce  their  risk  of  insider  theft,  fraud,  and  sabotage.  With  organizations 
starting  to  recognize  the  downsides  of  negative  incentives,  the  need  for  this  research  has  never 
been  more  pressing.  It  can  be  a  means  to  prevent  employee  alienation  from  their  employer  that 
can  spur  insider  threats,  and  to  complement  organizational  detection  and  response  capabilities. 

1.1  Research  Context 

The  subject  of  our  research  intersects  issues  important  to  both  human  resources  (FIR)  and  cyberse¬ 
curity  professionals.  Appendix  A  provides  the  larger  landscape  of  our  research  as  a  focus  on 
early-stage  disincentivization  of  insider  threats  using  positive  incentives  that  benefit  both  the  em¬ 
ployee  and  the  organization.  We  identify  two  types  of  workforce  management  practices  relevant 
in  our  research: 

•  Negative  incentive-based  practices  (negative  incentives,  for  short):  workforce  management  prac¬ 
tices  that  attempt  to  force  employees  to  act  in  the  interests  of  the  organization 

•  Positive  incentive-based  practices  (positive  incentives,  for  short):  workforce  management 
practices  that  encourage  employees  to  act  in  the  interests  of  the  organization 

While  a  balanced  approach  focuses  on  a  combination  of  positive  and  negative  incentives,  positive 
incentives  have  been  studied  extensively  in  the  modern  era  [Levy  2013,  Smither  2009].  By  far, 
most  of  this  research  focuses  on  the  benefits  of  this  approach  for  improved  productivity,  perfor¬ 
mance,  and  retention,  including  a  relatively  recent  focus  in  an  area  called  “positive  psychology” 
[Seligman  2012].  While  much  of  the  recent  practice-based  literature  focuses  on  a  concept  called 
“work  engagement,”  researchers  have  noted  that  this  concept  is  actually  a  conflation  of  a  lot  of 
previously  established  social  science  theories  and  domains  of  research  [Meyer  2013]. 

We  believe  there  are  three  dimensions  along  which  we  can  align  an  employee’s  interests  with 
their  employer’s  interests:  the  employee’s  job ,  their  organization,  and  the  people  they  work  with. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


2 


•  Job  Engagement  involves  the  extent  to  which  employees  are  excited  by  and  absorbed  in  their 
work.  Strengths-based  management1  and  professional  development  are  practices  known  to 
boost  employee  job  engagement.  Measurement  scales  for  employee  engagement  have  a  con¬ 
siderable  history,  including  their  use  by  both  the  U.S.  Government  [OPM  2015]  and  academic 
researchers  [Schaufeli  2004a]. 

•  Perceived  Organizational  Support  involves  the  extent  to  which  employees  believe  their  or¬ 
ganization  values  their  contributions,  cares  about  their  well-being,  supports  their  socio-emo- 
tional  needs,  and  treats  them  fairly.  Here,  programs  promoting  flexibility,  work/family  bal¬ 
ance,  employee  assistance,  alignment  of  compensation  with  industry  benchmarks,  and 
constructive  supervision  that  attends  to  employee  needs  can  boost  perceived  organizational 
support.  Extensively  validated  measures  have  been  widely  used  since  the  1980s  [Eisenberger 
1986],  culminating  in  a  seminal  publication  that  summarizes  that  research  in  book  form  [Ei¬ 
senberger  2011]. 

•  Connectedness  at  Work  involves  the  extent  to  which  employees  want  to  interact  with,  trust, 
and  feel  close  to  the  people  they  work  with.  Practices  involving  team  building  and  job  rota¬ 
tion  can  boost  employees’  sense  of  interpersonal  connectedness.  One  important  scale  is  the 
one  associated  with  Self  Determination  Theory  (SDT),  in  particular,  the  relatedness  aspects  of 
the  Basic  Psychological  Needs  at  Work  Scale  [Brien  2012].  Another  scale  is  associated  with 
the  Theory  of  Belongingness  [Malone  2012]. 

Although  there  has  been  extensive  research  in  these  areas  that  demonstrate  their  value  in  terms  of 
employee  satisfaction,  commitment,  performance,  and  retention  [Levy  2013],  a  related  body  of 
research  exists  that  helps  to  determine  their  value  for  reducing  insider  threats. 

Literature  with  a  strong  connection  to  our  research  includes  studies  that  show  that  positive  em¬ 
ployee  attitudes  about  their  work  are  linked  to  reduced  counterproductive  work  behaviors.  Coun¬ 
terproductive  work  behaviors  include  malicious  insider  threat  behaviors  as  well  as  other  less  egre¬ 
gious,  but  still  counteiproductive,  behaviors.  A  well-established  body  of  research  on 
psychological  contracts  that  employees  (often  implicitly)  have  with  their  organizations  can,  if 
breached,  serve  as  the  reason  for  negative  attitudes  and  behaviors  by  employees  [Rousseau  1995, 
Restubog  2015]. 

Research  on  psychological  contract  breaches  aligns  with  modeling  research  conducted  at  the  SEI 
that  shows  patterns  of  insider  IT  sabotage  rooted  in  the  insider’s  unmet  expectations  [Cappelli 
2012],  Generally,  counterproductive  work  behaviors  are  found  to  be  negatively  correlated  with 
the  following: 

•  job  engagement  (e.g.,  [Sulea  2012,  Ariani  2013]) 

•  connectedness  at  work  (e.g.,  [Sulea  2012]) 

•  perceived  organizational  support  (e.g.,  [Bordia  2008,  Sulea  2012,  Shoss  2013]) 

•  organizational  citizenship  behavior  (e.g.,  [Ariani  2013]) 

•  conscientiousness  (e.g.,  [Shoss  2013]) 

•  employee  empowerment  (e.g.,  [Afsheen  2013]) 


Strengths-based  management  focuses  primarily  on  identifying  and  using  an  individual’s  personal  and  profes¬ 
sional  strengths  in  directing  their  career  and  managing  their  job  performance  [Buckingham  2009], 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


3 


Especially  significant  is  that  perceived  organizational  support  is  strongly  correlated  with  organiza¬ 
tional  commitment  [Rhoades  2001]. 

1 .2  Overview  of  the  Report 

Our  research  explores  the  role  of  positive  incentives  on  insider  threat  behaviors  through  incident 
analysis  and  an  organizational  survey. 

Section  2  describes  the  analysis  of  three  incidents  of  intentional  harm  caused  by  disgruntled  insid¬ 
ers  to  better  understand  the  potential  role  of  job  engagement,  perceived  organizational  support, 
and  co-worker  connectedness  in  the  context  of  the  insider’s  decision  to  attack.  Based  on  the  need 
to  narrow  the  organizational  survey,  the  results  of  our  admittedly  limited  incident  analysis,  and 
some  supporting  literature,  we  focus  our  survey  work  on  perceived  organizational  support  and  re¬ 
lated  issues  of  organizational  justice. 

Section  3  describes  the  survey  method  employed  and  the  analysis  of  the  results  of  twenty-three 
respondents. 

Section  4  models  the  disgruntled  insider  threat  problem  as  it  relates  to  dissatisfaction  with  the  em¬ 
ploying  organization  and  the  potential  benefits  associated  with  positive  incentives  that  improve 
perceived  organizational  support  and  justice. 

As  a  starting  point  for  organizations  to  understand  their  options  for  using  positive  incentives  as 
part  of  their  insider  threat  programs,  Section  5  provides  an  outline  of  workforce  management 
practices  based  on  positive  incentives. 

Finally,  Section  6  summarizes  our  results  and  describes  avenues  for  future  work.  The  research  de¬ 
scribed  here  is  a  first  step  toward  creating  a  well-grounded  foundation  on  which  insider  threat  pro¬ 
grams  can  establish  a  more  balanced  means  for  insider  threat  reduction. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


4 


2  Incident  Analysis 


The  purpose  of  the  incident  analysis  described  in  this  section  is  to  help  answer  this  question:  To 
what  extent  are  the  interests  of  insider  threat  actors  aligned  with  the  interests  of  the  organization? 
The  previously  described  breakdown  into  three  dimensions — job,  organization,  and  people — sug¬ 
gests  focusing  on  the  following  three  questions: 

1.  Are  insider  threat  actors  disengaged  in  their  job? 

2.  Do  insider  threat  actors  perceive  their  organizations  to  be  supportive? 

3.  Are  insider  threat  actors  disconnected  from  their  co-workers? 

This  section  describes  our  approach  to  analyzing  insider  threat  incidents  and  preliminary  results 
associated  with  three  such  incidents.  We  answer  these  questions  for  each  incident  prior  to  the  start 
of  harmful  activity  and  while  the  harmful  activity  occurred. 

2.1  Method 

Our  research  method  involves  studying  multiple  incidents  of  disgruntlement-spurred  insider 
threats.  We  use  only  public,  non-sensitive  sources  for  each  incident  and  code  the  information 
about  each  incident  so  we  can  make  results  from  our  research  generally  accessible  to  other  re¬ 
searchers.  As  shown  in  Figure  2,  we  code  identified  incidents  along  a  five -point  scale,  ranging 
from  -2  to  +2,  for  each  of  the  three  dimensions — job  engagement,  perceived  organizational  sup¬ 
port,  and  connectedness  with  co-workers. 


Job  Engagement 

-2 

• 

0 

1 

1 

+2 

• 

Actively  Mildly 

Disengaged  Disengaged 

1 

Neither  Engaged 
nor  Disengaged 

1 

Mildly 

Engaged 

Thoroughly 

Engaged 

Perceived  Organizational  Support 

-2  0 

l 

+2 

Perceives  Org  as  Perceives  Org  as 

Antagonistic  Disinterested 

1 

Perceives  Org  as 
Not  Paying 
Attention 

1 

Perceives  some 
Support 

Perceives 
Absolute  Support 

Connectedness  with  Coworkers 

-2 

■«  1 

0 

l 

1 

+2 

•  .  1 

Antagonistic  Conflict  with 

with  Coworkers  Coworkers 

1 

Isolated  from 
Coworkers 

1 

Strictly  Professional 
with  Coworkers 

- • 

High  Level  of 
Connectedness 

Figure  2:  Overview  of  the  Five-Point  Scales  for  Interest  Alignment 


As  might  be  expected,  the  high  end  of  the  scale  (+2)  indicates  the  most  positive  assessment  of  the 
dimension,  whereas  the  low  end  of  the  scale  (-2)  indicates  the  most  negative  assessment.  The  mid¬ 
dle  point  on  the  scale  (0)  indicates  a  rather  neutral  assessment,  although  this  assessment  does  not 
indicate  a  desired  situation  for  either  the  organization  or  the  person  involved.  The  points  between 
the  neutral  point  and  the  high  and  low  ends  (+1  and  -1,  respectively)  indicate  exactly  that — an  as¬ 
sessment  that  is  less  extreme  than  the  end  point,  but  more  extreme  than  the  neutral  point. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


5 


To  provide  coders  with  a  greater  sense  of  the  points  along  the  scale,  we  provided  an  example  at 
each  point  and  provided  previously  developed  survey  questions  used  in  established  assessments 
for  each  dimension.  The  final  scales  used  for  each  dimension — with  examples  and  clarifying 
questions — are  elaborated  in  Appendix  B. 

While  the  information  sources  for  each  incident  are  usually  not  rich  enough  to  answer  the  estab¬ 
lished  survey  questions  individually,  they  can  help  to  get  a  sense  of  where  along  the  five -point 
scale  the  information  that  we  do  have  puts  the  insider’s  behaviors  and  attitudes.  Admittedly,  this 
activity  is  relatively  inexact.  However,  we  can  increase  the  accuracy  and  consistency  of  the  cod¬ 
ing  process  by  requiring  documentation  of  the  coder’s  justification  for  their  rating  on  the  scale  for 
each  dimension.  In  addition,  since  the  insiders’  ratings  may  vary  over  time,  we  provide  ratings 
along  the  five  points  at  each  of  three  contiguous  time  periods  during  the  incident  lifecycle.  This 
range  of  ratings  provides  a  sense  of  the  evolution  of  the  subjects’  attitudes  and  behaviors  over 
time. 

2.2  Incident  Analysis  Results 

We  rated  three  incidents  where  intentional  harm  perpetrated  by  disgruntled  insiders  took  place.2 
Figure  3  provides  an  overview  of  our  analysis  of  each  of  the  three  incidents  rated  along  the  five- 
point  scale.  Each  of  the  three  dimensions  are  represented  as  separate  graphs,  and  each  of  the  three 
time  periods  are  indicated.  The  raters  for  each  case  also  provided  their  assessment  of  the  overall 
score  for  each  dimension. 


As  shown,  Perceived  Organizational  Support  was  negative  in  all  three  incidents,  while  Job  En¬ 
gagement  was  negative  in  only  two  of  the  three  (Case2  and  Case3)  and  Connectedness  at  Work 
was  negative  in  only  one  of  the  three  (Case2). 


Perceived 

Organizational 

Support 


Job 

Engagement 


Connectedness 
at  Work 


Figure  3:  Incident  Analysis  Overview 


This  report  does  not  identify  the  insiders  involved  in  the  incidents  rated. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


6 


This  finding  was  a  bit  suiprising.  As  we  looked  at  the  incidents,  it  seemed  like  the  individual  in 
Casel  could  be  fairly  engaged  in  their  job  while  conducting  activities  counter  to  the  organization. 
Even  more  surprising,  the  individuals  in  Case2  and  Case3  maintained  fairly  good  relations  with 
their  co-workers  while  engaging  in  a  betrayal  of  their  organization  and  country. 

While  it  is  impossible  to  draw  general  conclusions  from  this  small  number  of  cases,  the  results  do 
suggest  that  perceived  organizational  support  may  be  more  central  to  our  hypothesis  that  positive 
incentives  can  reduce  insider  threats.  Of  the  three  dimensions  that  we  studied,  the  strongest  nega¬ 
tive  correlation  with  counterproductive  work  behaviors  found  in  the  literature  was  also  linked  to 
perceived  organizational  support.  This  combination  of  evidence  argues  in  favor  of  focusing  on 
that  dimension  in  our  survey  work,  especially  since  we  needed  to  limit  the  number  of  questions  in 
our  survey  to  ensure  an  adequate  response  rate. 

The  last  aspect  of  our  analysis  was  to  evaluate  the  attitudes  of  the  insider  threat  actors  as  they 
changed  over  time.  There  was  some  fluctuation  over  time  in  all  three  cases,  but  there  was  a  defi¬ 
nite  trend  downward  on  all  three  dimensions  through  the  early,  middle,  and  late  periods  of  the  in¬ 
cidents.  This  trend  becomes  more  apparent  in  Figure  4,  which  shows  the  sum  of  each  dimension 
across  the  three  cases. 


early  middle  late 


Figure  4:  Over  Time  Behavior  Along  Three  Dimensions 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


7 


3  Organizational  Survey 


The  goal  of  this  survey  was  to  understand  what  types  of  organizational  management  practices  im¬ 
pact  the  frequency  of  cyber-related  workplace  theft  and  sabotage. 

The  foundational  research  on  the  topic  of  workplace  aggression/crime  and  related  topics  bal¬ 
looned  from  roughly  the  1960s  to  the  early  2000s.  This  corpus  of  work  evaluated  possible  ante¬ 
cedents  and  consequences  of  workplace  aggression  and  crime,  often  collapsed  into  categories 
called  “counterproductive  workforce  behaviors”  or  “CWBs.”  However,  it’s  difficult  to  generalize 
these  findings  to  the  digital  age  wherein  different  machinations  of  theft  and  sabotage  have 
evolved. 

Pre-digital  age  discoveries  might  be  unique  to  a  particular  time  period  or  generation  of  workers, 
which  we  call  a  “cohort  effect”  [Shadish  2002],  and  this  effect  poses  a  research  gap.  Because  the 
digital  age  engendered  workplace  surveillance,  performance  monitoring,  etc.  that  employees 
sometimes  maladapted  to  (loneliness,  paranoia,  isolation,  etc.),  we  are  cautious  about  inferring 
that  antecedents  to  cyber-related  workplace  aggression/crime  is  part  of  the  same  theoretical  frame¬ 
work  as  pre-digital  CWBs. 

Little,  if  any,  theoretical  research  has  compared  pre-digital  and  post-digital  CWBs  and  their  ante¬ 
cedents.  This  survey  work  attempts  to  understand  the  relationship  between  antecedents  discovered 
in  the  foundational  research  and  cyber-related  CWBs  or  CY-CWBs.  CY-CWBs  are  those  digital 
counterproductive  workplace  behaviors  that  are  deleterious  to  the  productivity  and  well-being  of 
fellow  employees  within  an  organization. 

3.1  Background 

A  subset  of  “psychometrics”  includes  validated  inventories  used  commercially  or  in  academia  to 
measure  psychological  phenomenon  of  interest.  Most  psychometrics  are  designed  and  vetted  with 
various  scripted  reliability  and  validity  metrics  to  demonstrate  their  robustness  in  the  field.  Thus, 
it  makes  sense  to  use  existing  psychometrics  to  measure  antecedents  of  interest.  However,  be¬ 
cause  no  psychometric  existed  for  measuring  the  frequency  of  cybersecurity-related  CWBs,  we 
generated  our  own  CY-CWBs  inventory  for  the  purpose  of  this  study. 

To  generate  CY-CWBs,  we  reviewed  prior  conceptual  and  theoretical  frameworks  of  counterpro¬ 
ductive  workplace  behaviors,  chose  the  most  comprehensive  framework  [Buss  1961],  and  au¬ 
thored  new  cyber-related  questions  reflecting  each  dimension  in  Buss’s  framework.  Each  of  the 
40+  matrix  items  reflected  Buss’  CWB  dimensionality;  however,  we  needed  to  choose  a  subset  of 
matrix  items  for  scoping  purposes  or  our  participants  would  be  taking  a  lengthy  survey. 

From  our  prior  SEI  insider  threat  research,  two  prominent  dimensions  emerged — sabotage  and 
theft — and  those  became  the  two  CY-CWB  dimensions  of  interest.  Section  3.2,  Method,  discusses 
the  detailed  process  of  generating  CY-CWB  questionnaire  items. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


8 


The  antecedents  of  CWBs  are  well  documented  but  conceptually  disorganized.  One  of  the  most 
notable  antecedents  is  perceived  injustice ,3  and  when  coupled  with  a  lack  of  perceived  organiza¬ 
tional  support ,4  employees  report  a  reduced  sense  of  socio-emotional  and  intellectual  well-being. 
Other  antecedents  include  the  following: 

•  lack  of  supervisor  trust  [Konovsky  1994] 

•  low  levels  of  work  engagement  [Saks  2006,  Schaufeli  2004b,  Shantz  2014,  Sonnentag  2003] 

•  abusive  leadership  [Restubog  2011,  Shoss  2013] 

•  high  workload  [Schaufeli  2004b] 

•  supportive  organizational  climate  [Luthans  2008] 

•  lack  of  worker  autonomy  [Baard  2004,  Gagne  2005] 

Some  of  the  comorbid  emotional  states  include  the  following: 

•  anger  [Cropanzano  1989,  Westman  2001] 

•  aggression  [Bowling  2011,  Neuman  2005,  Penney5] 

•  negative  mood  in  general  [Bushman  2001,  De  Quervain  2004,  Penney] 

•  emotional  exhaustion  [Krischer  2010] 

•  stress  [Vermunt  2005] 

You  may  be  overwhelmed  by  the  array  of  factors  and  no  less  relieved  to  know  that  the  list  above 
is  far  from  comprehensive.  A  few  meta-analytic  papers  [Dalai  2005,  Kurtessis  2015,  Rich  2010, 
Saks  2006,  Simpson  2009]  have  attempted  to  organize  these  factors  into  layers  of  antecedents  and 
consequences.  Two  meta-analytic  papers  [Dalai  2005,  Kurtessis  2015]  stress  the  importance  of 
perceived  organizational  justice  and  its  impact  on  perceived  organizational  support,  feelings  of 
job  satisfaction,  and  ultimately  the  frequency  of  counterproductive  workplace  behaviors.  Thus, 
justice,  support,  and  satisfaction  became  the  antecedents  of  interest  but  further  scoping  was 
needed. 

Systematically  paring  down  the  antecedents  list  is  required  to  minimize  the  question  load  on  the 
participant.  In  the  first  stage  of  the  process,  psychometric  quality  was  reviewed  through  metrics  of 
reliability  and  validity  coefficients  that  are  published  in  the  foundational  survey  design  documen¬ 
tation  as  well  as  follow-on  validation  studies.  Our  literature  review  itemized  reliability  and  valid¬ 
ity  coefficients  by  psychometric  name  and  we  ordered  the  list  by  the  magnitude  of  the  reliability 
and  validity  coefficients.  Second,  we  considered  psychometric  type  (e.g.,  metrics  for  cognitive 
abilities,  knowledge,  attitudes,  behavioral  frequencies).  Since  we  cannot  interview  employees 
who  committed  an  insider  threat  behavior,  we  were  forced  to  ask  attitudinal  questions  (e.g.,  “How 
often  do  you  believe  this  behavior  occurs  across  the  organization?”)  of  employees  privy  to  cases 
of  insider  threat.  An  attribute  of  attitudinal  psychometrics  is  the  use  of  agreement  response  scales 
for  each  question.  However,  studies  rarely  publish  response  scale  formatting,  and  we  know  that 


3  [Aquino  2001 ,  Greenberg  1 998,  Bolino  201 5,  Colquitt  2001 ,  Dalai  2005,  Jermier  1 994,  Krischer  201 0,  Kurtessis 
2015,  Moorman  1998,  Saks  2006,  Skarlicki  1997,  Vermunt  2005,  Westman  2001] 

4  [Abas  2015,  Baard  2004,  Ferris  2009,  Gagne  2005,  Kurtessis  2015,  Moorman  1998,  Rhoades  2002,  Rhoades 
2001,  Saks  2006,  Shantz  2014,  Shore  1993,  Wayne  1997] 

5  Penney,  L.  M.;  Spector,  P.  E.;  Goh,  A.;  Plunter,  E.  M.  &  Turnstall,  M.  A  motivational  analysis  of  counterproduc¬ 
tive  work  behavior  (CWB).  Unpublished  manuscript,  University  of  Plouston.  Plouston,  Texas.  2007. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


9 


response  scale  formats  bias  respondents  implicitly.  Thus,  our  team  documented  the  scale  formats 
with  the  highest  potential  response  bias.  Furthermore,  we  had  to  decide  whether  people  in  our 
sampling  frame  could  speculate  on  fellow  employee  behaviors,  experiences,  and  attitudes.  Specu¬ 
lation  is  uncertain,  so  to  reduce  measurement  error,  we  included  ‘don’t  know’  and  ‘does  not  apply 
to  me’  response  options. 

To  further  pare  down  the  list  of  psychometric  inventories,  we  also  considered  the  statistical  impli¬ 
cations  of  ‘antecedents  predicting  CWBs’  versus  ‘antecedents  explaining  CWBs’.  Given  ournon- 
generalizable  sampling  method  discussed  below,  ‘explanation’  was  more  important  than  ‘predic¬ 
tion’  and  detailed  survey  questions  are  better  suited  for  explanatory  purposes;  whereas  predictive 
inventories  comparatively  include  more  parsimonious  sets  of  generically  worded  items.  The 
tradeoff  we  faced  was  that  detailed  items  can  be  confusing  or  can  exhaust  study  participants, 
lengthening  the  time  to  complete  surveys  and  resulting  in  elevated  non-response  rates,  especially 
when  no  fiscal  incentives  are  used  to  counter  non-response. 

In  sum,  we  removed  job  satisfaction  from  our  antecedent  list  because  of  generic  item  wording. 

We  chose  the  36-item  Survey  of  Perceived  Organizational  Support  (SPOS)  because  of  the  detailed 
questions,  high  number  of  citations,  stable  factor  loading  across  studies,  and  moderately  high  reli¬ 
ability  and  validity.  We  chose  the  organizational  justice  survey  [Moorman  1991]  because  it  was 
the  only  inventory  we  could  find  with  a  published  item  set.  We  generated  our  own  CY-CWB 
items  reflecting  cyber  theft  and  cyber  sabotage. 

This  exploratory  study  focuses  on  the  relationships  between  CY-CWB  s,  organizational  support, 
and  organizational  justice.  Our  research  question  is 

To  what  extent  does  an  organization ’s  support  practices  and  typical  sentiment  of  organiza¬ 
tion  justice  relate  to  the  perceived  frequency  of  cyber-related,  counterproductive  workplace 
behaviors  (CY-CWBs)  across  an  organization ? 

The  results  are  reported  at  the  aggregate  level. 

3.2  Method 

This  section  describes  the  survey  logic,  survey  design,  and  the  two  psychometric  inventories  used. 

3.2.1  Survey  and  Other  Materials 

This  section  first  describes  the  survey  logic  and  then  the  survey  design. 

The  gold  standard  of  survey  study  design  involves  a  matched  sample  of  relevant  demographic  pa¬ 
rameters  of  employees  who  committed  CY-CWBs  to  those  who  did  not  commit  them  within  the 
same  organization.  Then,  measure  the  perceptions  on  organizational  support  and  justice  that  each 
person  experienced  within  each  sample. 

However,  asking  participants  about  CY-CWBs  they  committed  is  problematic  for  two  reasons: 

1.  People  are  unwilling,  for  a  variety  of  reasons,  to  report  transgressions  honestly. 

2.  Some  transgressions  can  warrant  investigation  and  punishment. 

To  relieve  the  burden  of  reporting  their  own  transgressions,  we  instead  asked  insider  threat  profes¬ 
sionals  who  were  privy  to  the  frequency  and  types  of  cyber  insider  threat  cases  (i.e.,  familiar  with 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


10 


those  who  committed  CY-CWB),  to  estimate  the  frequency  of  CY-CWBs  occurrences  within  their 
own  organization.  We  then  asked  these  same  individuals  to  report  on  what  they  believed  to  be  the 
average  levels  of  perceived  organizational  support  and  justice.  In  our  analysis,  we  explored 
whether  a  relationship  existed  among  organizational  support,  justice,  and  beliefs  about  the  fre¬ 
quency  of  CY-CWBs.  One  person  per  organization  responded. 

The  survey  was  built  from  two  existing  psychometric  inventories  (see  brief  overview  below  and 
copies  of  the  inventories  in  Appendix  C)  that  measure  perceived  organizational  support:  the  36- 
item  Survey  of  Perceived  Organizational  Support  or  the  SPOS  [Eisenberger  1986]  and  the  20-item 
perceived  organizational  justice  or  the  OJ  [Moorman  1991]. 

Inventory  items  were  modified  to  use  the  third-person  perspective  because  our  participants  were 
speculating  on  organizational  norms  rather  than  their  own  personal  experience.  The  SPOS  and  OJ 
inventories  were  combined  with  the  CY-CWB  as  a  complete  survey.  Due  to  resource  constraints, 
we  were  unable  to  pilot  test  the  resultant  survey,  conduct  factor  analytics  to  reduce  item  loads  of 
the  CY-CWBs,  or  conduct  alternative  reliability  and  validity  testing.  However,  we  did  conduct 
three  cognitive  task  analyses  with  three  unaffiliated  colleagues  to  ensure  the  item  wording  in  the 
CY-CWBs  reflected  the  dimensions  intended. 

Perceived  Organizational  Support  (POS).  The  survey  of  perceived  organizational  support 
(SPOS)  [Eisenberger  1986]  was  based  on  Organizational  Support  Theory  and  Social  Ex¬ 
change  Theory.  The  SPOS  measures  the  positive  and  negative  perceived  orientation  employ¬ 
ees  feel  the  organization  takes  globally  with  respect  to  employee  contribution  and  welfare. 
The  original  SPOS  included  36  items  comprising  two  latent  variables,  then  was  reduced  to 
17  items  and  2  factors  in  the  short  version.  We  used  the  long  version  to  explore  relationships. 
The  two  latent  variables  are  a  valuation  of  the  employee’s  contribution  and  the  care  of  the 
person’s  well-being.  Known  to  be  high  in  internal  reliability,  the  survey  also  boasts,  to  date, 
1923  citations  [Eisenberger  1986],  which  details  the  derivation  and  validation  of  the  SPOS. 
The  samples  used  to  derive  the  SPOS  were  white  collar  workers  in  manufacturing,  credit  bu¬ 
reau  clerical  workers,  telephone  company  line  workers,  law  firm  secretaries,  bookstore 
bookkeepers  and  clerks,  postal  clerks,  financial  trust  company  employees,  and  high  school 
teachers.  Originally  used  to  predict  absenteeism,  the  SPOS  is  widely  used  to  test  an  array  of 
antecedents  to  and  consequences  of  perceived  organizational  support. 

Organizational  Justice  ( OJ).  This  scale  was  designed  to  be  a  parsimonious  measure  of  three 
latent  variables  of  justice:  distributive  justice,  interactional  justice,  and  procedural  justice. 
Distributive  justice  is  the  degree  to  which  rewards  are  allocated  in  an  equitable  manner 
[Niehoff  1993].  Procedural  justice  is  the  “degree  to  which  job  decisions  included  mecha¬ 
nisms  that  insured  the  gathering  of  accurate  and  unbiased  information,  employee  voice,  and 
an  appeals  process”  [Niehoff  1993,  pp.  537].  Interactional  justice  is  the  manner  in  which  an 
employee  is  treated  during  typical  decision  making  within  an  organization.  Twenty  items 
were  placed  on  a  seven-point  agreement  scale.  The  inventory  reports  reliabilities  for  all  three 
dimensions  above  [Moorman  1991]. 

The  survey  had  six  sections: 

1 .  consent  form 

2.  survey  download 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


11 


3.  SPOS  inventory  (see  copies  of  the  inventories  in  Appendix  C) 

4.  OJ  inventory 

5.  CY-CWB  inventory 

6.  closing  comments 

Participants  were  not  allowed  to  advance  to  the  first  page  of  the  survey  until  they  provided  con¬ 
sent.  Because  we  recognize  the  sensitivity  of  the  topic,  the  next  section  included  an  option  to  al¬ 
low  the  participant  to  download  a  PDF  copy  of  the  survey  for  completion  but  no  paper  copies  of 
the  survey  were  ever  mailed  to  our  team. 

We  then  asked  the  participants  for  the  number  of  years  worked  in  the  current  organization.  The 
inventories  were  then  presented  in  random  order,  a  common  practice  for  reducing  the  impact  of 
nuisance  variables  emerging  from  question  ordering. 

In  the  closing  comments  section,  we  asked  participants  to  list  their  job  title  and  then  asked  for  rec¬ 
ommended  organizational  practices  that  they  believed  would  significantly  reduce  CY-CWBs.  The 
final  page  thanked  the  participant  for  their  assistance  and  no  fiscal  compensation  was  provided. 

The  two  inventories  we  used  (the  third  we  created)  are  described  below: 

3.2.2  Sampling 

The  parameters  of  the  sampling  frame  included  the  following: 

1 .  must  be  at  least  1 8  years  old 

2.  must  be  employed  by  your  current  employer  for  at  least  one  year 

3.  must  possess  knowledge  of  employee  management  practices  across  the  organization 

4.  must  have  knowledge  of  the  insider  threat  cases  discovered  within  the  organization 

The  people  who  met  these  parameters  had  a  variety  of  job  titles  in  the  cybersecurity,  HR,  and  le¬ 
gal  professions.  These  individuals  could  be  analysts,  chief  information  security  officers  (CISOs), 
chief  information  officers  (CIOs),  chief  human  resources  officers  (CHROs),  or  legal  counsel. 
Given  the  variability  of  background  professions  and  job  titles,  the  type  of  job  training  to  prepare 
them  for  insider  threat  work  is  moot.  We  have  no  data  on  the  level  of  education  of  these  people  in 
our  sampling  frame. 

We  have  reason  to  believe  that  this  population  is  fairly  rare  and  challenging  to  reach  with  optimal 
sampling  techniques  (random  sampling,  etc.).  Therefore,  a  non-probabilistic  snowball  sampling 
method  was  used  with  an  unknown  number  of  chains.  Many  publications  [Biernacki  1981,  Mag- 
nani  2005,  Spreen  1992]  contest  the  generalizability  of  snowball  sampling  methods  for  hard-to- 
reach  ‘special’  populations;  ‘special’  because  these  people  are  usually  impenetrable  to  outsiders, 
so  response  rates  are  contingent  on  trusted  relationships  [Sudman  1986].  Snowball  sampling  is  a 
non-probability  sampling  method  making  it  impossible  for  generalizable  inference. 

3.2.3  Recruitment  Procedure 

All  participants  were  invited  verbally  during  a  monthly  Open  Source  Insider  Threat  information 
sharing  group  (OSIT)  consortium  call.  The  call  took  place  around  the  first  week  of  August  2016, 
and  the  verbal  invitation  was  followed  by  an  email  invitation  with  hyperlinks  to  the  survey  the 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


12 


same  day.  The  survey  was  available  to  participants  August  7-30,  2016.  Participants  reviewed  the 
consent  form  and  answered  survey  questions.  No  debriefing  was  conducted. 

3.2.4  Analysis  Procedure 

The  survey  instrument  was  designed  with  an  augmented  Likert  scale  of  5  scaled  responses  and  2 
additional  responses.  The  five  point  scale  ranged  from  “1  =  Strongly  Disagree”  to  “5  =  Strongly 
Agree.”  The  two  additional  responses  were  “I  don’t  know”  or  “Does  not  apply  to  me.” 

Due  to  the  limited  sample  size  of  our  survey  (23  valid  organizational  responses  for  55  questions), 
we  were  unable  to  analyze  the  Likert  scale  as  an  ordinal  scale  with  traditional  psychometric  tech¬ 
niques.  We  instead  made  the  following  three  assumptions.  First,  we  assume  that  the  Likert  scale 
values  were  quantitative  (e.g.,  the  difference  between  respondent  A’s  rating  of  a  1  and  a  2  is  pre¬ 
cisely  the  same  as  A’s  rating  difference  between  a  2  and  a  3,  and  so  on  for  all  categories,  all 
scales,  and  all  respondents).  Second,  we  assume  that  the  scale  is  reversible  such  that  questions 
with  negative  valence  (e.g.,  POS  22:  The  organization  fails  to  appreciate  any  extra  effort  from 
me.)  can  be  recoded  to  match  the  positive  valence  questions  by  simply  reversing  the  five  point 
scale.  Finally,  we  assume  that  the  average  of  a  respondent’s  answers  on  all  the  questions  on  a 
given  scale  form  a  consistent  estimate  of  the  respondent’s  position  on  that  scale  (e.g.,  the  average 
of  all  the  POS  questions  is  a  consistent  estimate  of  the  respondents  true  POS  value). 

The  “I  don’t  know,”  “Does  not  apply  to  me,”  and  unanswered  questions  were  coded  as  missing. 
We  used  multiple  imputation  to  generate  five  plausible  values  for  every  missing  response.  We 
used  the  MICE  algorithm  [van  Buuren  2012]  as  implemented  in  the  mice  R  package  [van  Buuren 
201 1]  with  the  random  forest  method  with  a  maximum  50  iterations.  Every  variable  was  included 
in  the  conditional  model  for  every  other  variable. 

Deming  regression  was  used  to  compare  the  organizational  averages  of  the  CWB  scale  against  the 
POS  and  OJ  scales.  The  a  priori  variance  ratios  were  estimated  across  all  five  of  the  multiple  im¬ 
putation  datasets  and  the  regression  was  calculated  for  each  individual  dataset  with  95%  bootstrap 
confidence  intervals  calculated  on  the  slope  parameter  [DiCiccio  1996]  and  then  pooled  across  the 
multiple  imputations. 

3.3  Results 

A  survey  of  members  of  the  Open  Source  Insider  Threat  information  sharing  group  (OSIT) 
yielded  25  responses,  23  of  which  contained  information  about  the  frequency  of  counterproduc¬ 
tive  work  behaviors  in  the  organization.  Of  these  23  responses  only  22%  fully  answered  all  ques¬ 
tions. 

Rates  of  missingness  for  individual  questions  ranged  from  a  maximum  of  65%  missing  (one  ques¬ 
tion,  CWB  20:  Plagiarizing  a  co-worker)  to  a  minimum  of  0%  missing  (24  questions).  The  inter¬ 
quartile  range  of  questions  with  missing  data  spanned  9%  to  26%  missing. 

Exploratory  data  analysis  suggests  that  data  were  not  missing  at  random,  which  further  suggests 
that  our  multiple  imputation  approach  is  necessary  for  unbiased  estimation.  For  example,  the 
choice  of  a  respondent  to  answer  question  CWB  19,  Wiretapping,  was  strongly  associated  with 
the  number  of  years  the  respondent  was  employed  at  the  organization,  with  respondents  choosing 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


13 


“Don’t  Know”  or  leaving  the  question  blank  having  typically  five  years  fewer  experience  than  re¬ 
spondents  who  gave  a  non-missing  response. 

Figure  5  illustrates  the  negative  correlation  between  perceived  organizational  support  and  insider 
misbehavior.  The  resulting  Deming  regression  estimate  of  the  slope  is  -1.04,  with  a  95%  confi¬ 
dence  interval  ranging  from  -2.71  to  -0.41;  therefore,  the  negative  association  is  statistically  sig¬ 
nificant. 


Perceived  Organizational  Support 

Figure  5:  Negative  Correlation  Between  Perceived  Organizational  Support  and  Insider  Misbehavior 

Figure  6  illustrates  the  negative  correlation  between  organizational  justice  and  insider  misbehav¬ 
ior.  The  resulting  Deming  regression  estimate  of  the  slope  is  -0.35,  with  a  95%  confidence  inter¬ 
val  ranging  from  -0.78  to  -0.12;  therefore,  the  negative  association  is  statistically  significant. 


Figure  6:  Negative  Correlation  Between  Organizational  Justice  and  Insider  Misbehavior 

These  results  make  it  clear  that  for  the  organizations  surveyed  more  positive  employee  attitudes 
concerning  organizational  justice  and  support  correlate  with  a  lower  frequency  of  insider  misbe¬ 
havior.  It  is  somewhat  surprising  that  organizational  justice  is  less  negatively  correlated  than  per¬ 
ceived  organizational  support.  One  might  expect  that  unfair  treatment  would  be  a  strong  reason 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


14 


for  insider  misbehavior.  However,  perceived  organizational  support  includes  aspects  of  fair  treat¬ 
ment  as  part  of  the  standard  instrument  for  measurement.  It  also  includes  other  aspects,  such  as 
effective  communication  and  supervisor  supportiveness.  A  plausible  conclusion  to  draw  is  that 
breadth  of  coverage  across  the  various  aspects  of  perceived  organizational  support  is  more  im¬ 
portant  than  in  depth  coverage,  at  least  as  it  relates  to  organizational  justice.  In  Section  5,  we  elab¬ 
orate  workforce  management  principles  and  practice  areas  associated  with  perceived  organiza¬ 
tional  support.  However,  first  we  turn  to  developing  a  simulation  model  for  what  we  know  so  far. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  15 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


4  Model  of  the  Problem 


This  section  describes  a  simulation  model  of  the  problem  associated  with  employees’  dissatisfac¬ 
tion  with  their  employer  and  how  that  dissatisfaction  may  dead  to  disgruntlement-spurred  insider 
threats  such  as  insider  cyber  sabotage,  information  theft,  and  unauthorized  leakage  of  classified 
information. 

4.1  Method 

System  dynamics  helps  analysts  model  and  analyze  critical  behavior  as  it  evolves  over  time 
within  complex  socio-technical  domains.  It  is  one  of  several  modeling  methods  applicable  to  in¬ 
sider  threat  and  has  been  used  extensively  in  that  domain  [Moore  2016,  Cappelli  2012].  Figure  7 
summarizes  the  notation  used  in  our  system  dynamics  model. 

Variable  -  anything  of  interest  in  the  problem  being 
modeled 

Ghost  Variable  -  variable  acting  as  a  placeholder 
for  a  variable  occurring  somewhere  else 

Positive  Influence  -  values  of  variables  move  in  the 
same  direction  (e.g.,  source  increases,  target 
increases) 

Negative  Influence  -  values  of  variables  move  in 
the  opposite  direction  (e.g.,  source  increases,  the 
target  decreases) 

Stock  -  special  variable  representing  a  pool  of 
materials,  money,  people,  or  other  resources 

Flow  -  special  variable  representing  a 
process  that  directly  adds  to  or  subtracts  from 
a  stock 

Cloud  -  source  or  sink  (represents  a  stock 
outside  the  model  boundary) 

Figure  7:  System  Dynamics  Notation 

The  primary  elements  are  variables  of  interest,  stocks  (which  represent  collections  of  resources, 
such  as  dissatisfied  employees),  and  flows  (which  represent  the  transition  of  resources  between 
stocks,  such  as  satisfied  employees  becoming  dissatisfied).  Signed  arrows  represent  causal  rela¬ 
tionships,  where  the  sign  indicates  how  the  variable  at  the  arrow’s  source  influences  the  variable 
at  the  arrow’s  target.  A  positive  (+)  influence  indicates  that  the  values  of  the  variables  move  in  the 
same  direction,  and  a  negative  (-)  influence  indicates  that  they  move  in  opposite  directions. 

A  connected  group  of  variables,  stocks,  and  flows  can  create  a  path  that  is  referred  to  as  a  feed¬ 
back  loop.  At  this  stage  in  our  modeling  effort,  we  have  not  identified  any  significant  feedback 
loops. 

As  a  convention  in  our  model,  we  format  model  input  variables  with  italics,  bold ,  and  underline 
since  these  variables  can  be  dynamically  manipulated  during  model  execution. 

CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  16 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


Varl 

<Varl> 

+ 

Varl  - >  Var2 


Varl  - >  Var2 


Flowl 


G 


4.2  The  Model 


The  core  stocks  and  flows  associated  with  an  employee’s  changing  satisfaction  with  their  employ¬ 
ing  organization  is  shown  in  Figure  8.  We  take  a  simple  view  that  employees  are  either  satisfied 
with  the  organization  or  not,  represented  as  the  two  primary  stocks  involved.  We  assume  that 
newly  hired  employees  may  be  dissatisfied  with  the  organization,  perhaps  as  a  result  of  a  negative 
hiring  or  onboarding  process. 

The  user-settable  variable  percent  satisfied  at  hire  represents  the  percentage  of  those  hired  that 
are  satisfied.  Of  course,  satisfied  employees  can  become  dissatisfied  at  some  rate;  percent  becom¬ 
ing  satisfied  represents  the  percentage  per  month  of  satisfied  individuals  that  become  dissatisfied. 
Likewise,  there  is  a  user-settable  percentage  per  month  of  dissatisfied  individuals  that  become  sat¬ 
isfied;  however,  we  assume  there  is  some  percentage  of  the  workforce  that  is  perpetually  dissatis¬ 
fied  that  is  not  included  in  the  flow  of  employees  becoming  satisfied. 

Finally,  while  employees  leaving  the  organization  may  be  either  satisfied  or  not,  we  expect  a 
larger  percentage  of  dissatisfied  employees  will  leave.  The  next  section  discusses  factors  involved 
with  setting  the  variables  in  the  execution  of  the  model  based  on  existing  data  and  our  project 
analysis. 


Figure  8:  Core  Stocks  and  Flows  in  the  Organizational  Context 


Figure  9  extends  the  model  to  include  the  potential  for  dissatisfied  employees  to  become  disgrun¬ 
tled  and  potentially  become  insider  threat  actors.  We  separate  the  stock  of  disgruntled  insiders 
from  the  stock  of  those  that  actually  go  on  to  cause  insider  threat  incidents.  Once  someone  causes 
an  incident,  there  is  no  turning  back;  they  may  be  stopped  from  causing  further  harm,  but  they 
will  forever  be  seen  as  insider  threat  actors  by  their  employers. 

However,  those  that  are  only  disgruntled  may  get  pulled  back  from  the  brink  either  through  their 
departure  from  the  organization  or  by  their  re-engagement  in  the  mission  of  the  organization.  We 
make  the  following  simplifying  assumptions: 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


17 


•  The  rate  of  re-engagement  is  proportional  to  the  rate  of  dissatisfied  employees  becoming  sat¬ 
isfied. 

•  The  rate  of  departure  is  proportional  to  the  rate  of  termination  of  dissatisfied  employees. 

While  these  assumptions  are  debatable,  they  seem  reasonable  for  an  initial  approximation.  We 
discuss  the  interpretation  and  measurement  of  various  aspects  of  the  model  in  the  next  section. 


Figure  9:  Emerging  Physics  of  Organization  Dissatisfaction  and  the  Disgruntled  Insider 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


18 


4.3  Model  Settings 


The  model  described  in  the  previous  section  raises  the  question  of  what  the  values  should  be  for 
all  of  the  input  variables  during  model  execution.  We  used  the  following  values  in  model  execu¬ 
tion,  at  least  initially: 

•  percent  satisfied  at  hire  =  90% 

•  percent  satisfied  at  termination  =  20% 

•  percent  becoming  satisfied  =  10%/month 

•  percent  becoming  dissatisfied  =  10%/month 

•  percent  of  workforce  perpetually  dissatisfied  =  5% 

•  percent  becoming  disgruntled  =  10%/month 

•  percent  disgruntled  starting  to  attack  =  0.2%/year 

So  how  did  we  derive  these  values?  We  started  by  determining  values  from  previous  research  that 
we  could  use  with  sufficient  confidence  and  then  directed  our  research  to  determine  reasonable 
values  for  other  variables  of  interest.  We  developed  a  preliminary  version  of  this  model  prior  to 
conducting  the  research  described  in  this  report  and  used  it  to  decide  what  additional  data  to  col¬ 
lect. 

As  a  starting  point,  we  reviewed  several  studies  that  are  regularly  conducted  to  assess  employee 
attitudes.  Because  of  our  focus  on  the  U.S.  Government,  a  very  important  study  for  us  is  the  Fed¬ 
eral  Employee  Viewpoint  Survey  Results  [OPM  2015].  This  report  shows  that  employee  satisfac¬ 
tion  within  their  organization  has  been  steady  at  about  55%  over  the  past  several  years.  For  sim¬ 
plicity,  we  assume  these  survey  results  mean  that  55%  of  the  employees  are  satisfied  with  their 
organization  and  45%  are  dissatisfied. 

Finally  a  Gallup  study  has  fairly  consistently  found  that  about  18%  of  the  workforce  is  actively 
disengaged,  which  means  that  the  employee  is  “more  or  less  out  to  damage  their  company”  [Gal¬ 
lup  2013].  This  actively  disengaged  employee  is  also  what  we  refer  to  as  the  disgruntled  insider  in 
the  model.  The  values  for  the  input  variables  listed  above  were  derived  by  a  combination  of  iden¬ 
tifying  plausible  values  and  getting  the  percentages  in  the  previous  paragraph  to  work  out  as  a  re¬ 
sult.  We’ll  describe  the  application  of  sensitivity  (Monte  Carlo)  simulation  in  the  next  section  to 
analyze  the  behavior  of  the  model  over  a  range  of  parameter  values  that  represent  the  uncertainty 
associated  with  those  values. 

4.4  Model  Execution 

Simulation  results  are  described  with  respect  to  a  model  equilibrium,  which  is  shown  in  simula¬ 
tion  graphs  as  a  “baseline”  simulation  run.  The  equilibrium  of  the  model  described  in  this  paper 
ensures  that  the  rate  of  change  of  all  stocks  remains  at  a  constant  value  (possibly  zero).  In  equilib¬ 
rium,  a  model  is  easier  to  experiment  with  since  the  analyst  can  more  easily  determine  how  small 
changes  in  input  affect  the  overall  behavior  of  the  simulation.  Any  change  in  behavior  (as  seen  in 
the  behavior-over-time  graphs)  can  be  attributed  to  that  single  changed  input  and  only  that 
change.  It  is  analogous  in  scientific  experiments  to  keeping  all  variables  constant  (i.e.,  the  inde¬ 
pendent  or  controlled  variables)  except  the  ones  being  studied  (i.e.,  the  dependent  variables). 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


19 


The  baseline  run  of  our  model  represents  an  organization  with  the  percentages  of  the  total  work¬ 
force  described  above:  specifically,  about  55%  of  the  employees  are  satisfied  with  the  organiza¬ 
tion,  45%  are  dissatisfied,  and  18%  are  disgruntled.  These  simulation  results  are  shown  in  Figure 
10  and  Figure  11.  The  simulated  size  of  the  organization  is  somewhat  arbitrary,  but  in  this  execu¬ 
tion  is  about  1,000  people. 


500 


375 


<L> 

&  250 

&i 


125 


0 

0  24  48  72  96  120  144  168  192  216  240 

Time  (Month) 

Employees  Satisfied  with  Organization  :  baseline  - 1 - t - t - i - 1 - T 

Employees  Dissatisfied  with  Organization  :  baseline  — 2 - 2 - 2 - 2 - 2 - 

Disgruntled  Insiders  :  baseline  -2 - 3 - 3 - 3 - 3 - 3 - 3 - 3 - 3 - 3— 


Figure  1 0:  Employee  Satisfaction  Levels6 


Employee  Satisfaction  Levels 


Employee  Satisfaction  Fractions 


c 

a 

Q 


0  24  48  72  96  120  144  168  192  216  240 

Time  (Month) 


fraction  satisfied  :  baseline  — t - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 

fraction  dissatisfied  :  baseline  - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 

fraction  disgruntled  :  baseline  — 3 - 3 - 3 - 3 - 3 - 3 - 3 - 3 - 3 - 3— 


Figure  1 1:  Employee  Classification  Levels 


This  behavior-over-time  graph  was  generated  using  the  Vensim  modeling  tool.  The  X-axis  for  the  graphs  is 
specified  in  months  (240  months — twenty  years — is  the  duration  of  this  simulation).  The  legend  below  the  graph 
shows  each  variable  and  the  name  of  the  simulation  run  graphed  in  the  format  “variable:  simulation  run".  The 
variable  simulation  runs  are  distinguished  with  a  number  label  (1  and  2  in  Figure  12)  and  in  color  copies  also 
specified  in  the  legend  below  the  graph. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


20 


Figure  12  shows  the  accumulation  of  insider  threat  incidents  under  the  above  conditions.  The 
baseline  run  shows  about  six  incidents  occurring  over  a  20-year  period.  The  major  factor  here, 
given  our  assumptions,  is  the  variable  percent  disgruntled  starting  to  attack.  This  variable  is  set 
at  0.2%  per  year.  Put  another  way,  every  year  0.002  Disgruntled  Insiders  are  responsible  for  in¬ 
sider  threat  incidents.  In  equilibrium,  there  are  about  150  disgruntled  insiders,  so  this  is  about  one 
incident  every  3-1/3  years,  accumulating  to  about  six  over  20  years. 


Insider  Threat  Incidents 


Insider  Threat  Incidents  :  baseline  - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 

Insider  Threat  Incidents  :  50%  satisfaction  improvement  - 2 - 2 - 2 - 2 — 


Figure  12:  Individuals  Responsible  for  Insider  Threat  Incidents 

The  simulation  run  named  “50%  satisfaction  improvement”  shows  that  the  number  of  insider 
threat  incidents  drops  in  half  over  the  twenty-year  timeframe  of  the  simulation  when  the  rate  of 
employees  becoming  dissatisfied  drops  by  50%  and  the  rate  of  employees  becoming  satisfied  in¬ 
creases  by  50%. 

This  change,  possibly  due  to  workforce  management  practices  to  improve  employee  attitudes 
about  their  satisfaction  with  the  organization,  takes  place  in  the  simulation  at  month  three,  moving 
the  accumulation  of  insider  threat  incidents  off  its  baseline  trajectory  to  fewer  such  incidents.  Of 
course,  the  actual  decline  is  very  sensitive  to  both  the  percentage  improvement  as  well  the  per¬ 
centage  of  disgruntled  employees  starting  to  attack. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


21 


Figure  13  shows  the  potential  decline  in  incidents  for  various  values  of  these  two  variables  as  a 
three-dimensional  surface. 


Number  of  Insider  Incidents  After  20  Years 


_ ■  0-2  ■  2-4  4-6  ■  6-8  ■8-10  ■10-12  12-14  ■  14-16 _ 

Figure  13:  Sensitivity  Simulation  Results  on  Insider  Threat  Incidents 

We  can  now  extend  the  model  to  better  understand  the  cost  savings  from  efforts  to  improve  em¬ 
ployees’  satisfaction  with  the  organization.  In  the  upper  right  comer  of  the  model  extension 
shown  in  Figure  14,  we  include  model  variables  to  estimate  the  number  of  counterproductive 
work  behaviors  of  satisfied  employees  and  a  multiplier  of  that  number  of  behaviors  for  dissatis¬ 
fied  employees.  Costs  are  estimated  both  as  a  cost  per  counterproductive  work  behavior,  in  terms 
of  lost  productivity,  and  the  costs  associated  with  insider  threat  incidents. 

The  following  values  are  assumed  for  these  variables  in  our  analysis: 

•  CWB  per  satisfied  =  0.5  CWB/month 

•  multiplier  CWB  rate  per  dissatisfied  =  4.0 

•  cost  per  CWB  =  $500 

•  cost  per  incident  =  $1M 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


22 


Figure  14:  Model  Extension  to  Estimate  Potential  Cost  Savings 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


23 


We  calculate  the  yearly  costs  as  the  simple  sum  of  the  costs  of  productivity  loss  due  to  CWBs  and 
the  costs  due  to  disgruntled  insider  threat  incidents.  We  form  a  yearly  cost  index  based  on  the 
costs  associated  with  no  satisfaction  improvement  (i.e.,  where  percent  satisfaction  improvement 
at  month  3  is  0). 


Figure  15  shows  the  decrease  in  relative  cost  from  the  baseline  due  to  various  levels  of  satisfac¬ 
tion  improvement.  For  example,  with  the  505  satisfaction  improvement  that  we  analyzed  previ¬ 
ously,  we  get  a  25%  reduction  in  yearly  costs  associated  with  egregious  insider  threat  incidents 
and  other  counterproductive  work  behaviors. 


Figure 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


24 


5  Positive  Incentive-Based  Principles  and  Practice  Areas 


We  believe  that  continuing  the  research  started  in  this  report  is  critical  to  establishing  and  manag¬ 
ing  effective  insider  threat  programs.  Our  vision  is  the  extension  of  the  traditional  security  ap¬ 
proach  shown  in  Figure  16.  The  right  side  of  the  figure  depicts  the  traditional  approach  focused  on 
negative  incentives  that  restrict  employees  to  prevent  abuse  and  detects  and  punishes  abuse  when 
it  occurs.  This  approach  is  based  on  a  negative  form  of  deterrence  as  promulgated  in  Deterrence 
Theory,  which  says  that  people  obey  rules  because  they  fear  getting  caught  and  being  punished. 
Restricting,  detecting,  and  punishing  employees  reinforces  the  deterrence  (negative)  of  abuse. 

Our  extension  of  security  through  positive  incentives  is  shown  on  the  left  side  of  the  figure.  In  its 
current  form,  as  supported  by  our  research,  organizational  support  (including  organization  justice) 
is  shown  as  the  foundation  of  positive  deterrence.  With  this  foundation  in  place,  connectedness 
with  co-workers  and  job  engagement  serve  to  strengthen  an  employee’s  commitment  to  the  organ¬ 
ization.  Organization  support  and  connectedness  also  strengthen  overall  engagement  in  a  feedback 
effect. 


This  form  of  positive  deterrence  complements  the  use  of  negative  deterrence  by  reducing  the 
baseline  of  insider  threat  in  a  way  that  can  improve  employees’  satisfaction,  performance,  and 
commitment  to  the  organization.  As  illustrated  in  our  modeling  effort,  fewer  incidents  and  coun¬ 
terproductive  behaviors  reduces  costs  through  fewer  investigations  and  greater  staff  productivity. 
Employing  the  right  mix  and  ratio  of  positive  and  negative  incentives  in  an  insider  threat  pro¬ 
gram  can  create  a  net  positive  for  both  the  employee  and  the  organization — moving  an  insider 
threat  program  from  a  “big  brother”  program  to  a  “good  employer”  program  that  actually  im¬ 
proves  employees’  work  life. 


Balanced  Deterence:  Extending  the  Traditional  Security  Paradigm 


Security  Through  Positive  Incentives 

| - Engagement  Feedback  *■ 

Engagement 

Connectedness 


Engaged 

Employees 


Connected 

Employees 


■  Fewer  unintended 
consequences 
1  Satisfaction, 
performance, 
retention 


Organizational 

Supportiveness 


Supported 

Employees 


Traditional  Security  Approach  (Negative  Incentives) 


Deterrence  Feedback 


Deterrence 


Restriction 


Monitoring 


Sanctions 


Deterred 

Abuse  Prevented 

Abuse  Detected 

Abuse  Punished 
Abuse 


Fewer  insider 
incidents  and 
misbehaviors 
Lower  investigative 
costs,  productivity 
loss 


Figure  1 6:  Extending  the  Traditional  Information  Security  Paradigm 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


25 


Figure  17  provides  a  breakdown  of  practice  areas  relevant  to  developing  and  retaining  staff  to 
achieve  an  organization’s  mission,  with  a  particular  focus  on  positive  incentives.  The  first  two 
branches  off  the  root  node  at  the  left  side  of  the  figure  involve  workforce  management  practices, 
including  hiring  and  retaining  the  appropriate  staff  with  the  right  job  responsibilities  and  ensuring 
that  they  are  positively  motivated  to  execute  responsibilities  that  support  achieving  the  organiza¬ 
tion’s  mission. 

The  third  branch  acknowledges  the  fact  that  employees  can  act  counter  to  the  organization’s  mis¬ 
sion  even  if  they  perform  their  job  well  in  other  respects.  This  branch,  which  traverses  the  red 
node  in  the  figure,  makes  this  partitioning  particularly  appropriate  for  guiding  the  development 
and  refinement  of  insider  threat  programs.  The  second  and  third  branches,  in  combination,  show 
that  practices  can  benefit  the  organization  in  terms  of  employee  satisfaction,  performance,  and  re¬ 
tention  as  well  as  reducing  the  insider  threat. 


Figure  1 7:  Taxonomy  of  Positive  Incentive  Workforce  Management  Practice  Areas 


This  section  describes  practice  areas  that  can  positively  incentivize  employees  in  their  job  and 
work  with  their  employer.  The  first  part  of  this  section  elaborates  the  first  branch  of  Figure  17  that 
has  bold  arrows  that  represent  attracting  the  right  staff. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


26 


The  second  part  of  this  section  elaborates  the  second  and  the  third  branches  of  Figure  17  that  ter¬ 
minate  with  the  fundamental  practice  areas  associated  with  perceived  organization  support  on  the 
right  side  of  the  figure. 

We  finish  this  section  with  a  discussion  of  organizational  culture.  (Appendix  D  provides  a  graphic 
of  all  the  practice  areas  integrated  together.)  This  discussion  focuses  on  practice  areas  that  pro¬ 
mote  perceived  organizational  support  because,  as  we  previously  described,  we  believe  that 
achieving  this  perception  is  the  foundation  for  other  positive  incentives  an  organization  can  em¬ 
ploy.  Without  that  perception,  all  else  can  be  undermined.  As  a  context  for  our  discussion,  Figure 
17  also  shows  other  factors  that  insider  threat  program  managers  should  consider  when  designing 
their  programs. 

5.1  Hiring  the  Right  Staff 

Needs  assessment  by  hiring 
^  group  to  develop  job  description 
linked  to  mission 

Establish  values  congruence  criteria 

to  determine  alignment  of 
individuals  with  organization  values 

Structured  interviewing  to 

determine  values  congruence  and 
alignment  with  job  description 

Establish  policies  and  procedures  for 
action  when  employee  values  become 
misaligned  with  organization  values 

Figure  18:  Factors  Involved  in  Hiring  the  Right  Staff 

Establishing  and  maintaining  the  right  workforce  is  a  precondition  of  using  positive  incentive- 
based  practices  to  help  align  employee  and  organizational  interests.  Congruence  of  values  among 
employees  and  the  organization  inherently  promotes  perceptions  of  organizational  support  [Eisen- 
berger  2011,  page  87].  While  background  checks  and  reference  checks  are  common  practices, 
some  organizations  may  decide  to  conduct  personality  or  background  tests  to  approximate  a  can¬ 
didate’ s  values  as  a  screening  mechanism  in  the  hiring  process.  For  federal  government  organiza¬ 
tions,  government -sponsored  labs,  and  contractors,  the  ability  to  obtain  a  security  clearance  in¬ 
volving  extensive  background  checks  may  also  be  a  condition  of  employment. 

The  hiring  process  usually  starts  with  a  needs  assessment  conducted  with  the  hiring  group,  possi¬ 
bly  facilitated  by  the  FIR  department.  A  formal  job  description  is  the  likely  work  product  of  the 
needs  assessment,  which  can  be  used  in  structured  interviews  of  job  candidates.  Competency- 
based  interviewing  can  be  a  good  way  to  solicit  and  verify  the  candidate’s  qualifications,  includ¬ 
ing  both  social  skills  and  technical  capabilities.  (See  the  Loominger  competencies  [Jantti  2012].) 

If  the  job  description  reflects  the  skills  and  capabilities  needed  and  its  contribution  to  the  organi¬ 
zation’s  mission,  then  a  good  employee  match  with  the  job  description  should  ensure  the  person’s 
ability  to  fulfil  the  job  responsibilities. 

CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  27 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


Attract  new  staff  to 
execute  job  responsibilities 
linked  to  mission 


There  are  usually  more  options  available  other  than  termination  in  the  case  of  an  employee  who 
becomes  dissatisfied  with  their  job  (e.g.,  adjusting  their  responsibilities  and/or  moving  to  another 
team  within  the  organization).  However,  if  an  employee’s  values  become  misaligned  with  the  or¬ 
ganization’s  values,  lack  of  resolution  may  require  the  person  to  be  respectfully  but  expeditiously 
ushered  out  of  the  organization. 

5.2  Perceived  Organizational  Support 

Perceived  organizational  support  (POS)  involves  the  extent  to  which  employees  believe  their  or¬ 
ganization  values  their  contributions,  cares  about  their  well-being,  supports  their  socio-emotional 
needs,  and  treats  them  fairly.  A  foundation  of  POS  is  Social  Exchange  Theory — a  theory  in  which 
individuals  interact  with  others  and  invest  in  relationships  in  a  way  that  maximally  benefits  them¬ 
selves. 

A  key  concept  is  the  norm  of  reciprocity,  which  has  both  a  positive  and  negative  form.  Positive 
reciprocity  involves  the  actions  of  employees  in  the  interests  of  the  organization  as  a  form  of  re¬ 
payment  (or  obligation  created)  for  favorable  treatment  by  the  organization.  Negative  reciprocity 
involves  misbehaviors  of  employees  performed  because  of  perceived  mistreatment. 

With  these  basic  concepts,  it  is  not  difficult  to  see  how  perceptions  of  organizational  support 
could  influence  insider-threat-related  behaviors.  How  can  an  organization  promote  these  percep¬ 
tions?  As  identified  in  Figure  17  and  elaborated  below,  POS  can  be  encouraged  through  organiza¬ 
tional  justice,  adequate  rewards  and  recognition,  effective  communication,  supportive  manage¬ 
ment,  and  effective  working  conditions  [Eisenberger  2011]. 

Organizational  Justice 


Fair  total 
compensation 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


28 


Past  research  shows  that  employees’  sense  of  fair  treatment  by  the  organization  is  the  strongest 
determinant  of  POS  [Eisenberger  2011].  Organizational  justice  involves  three  types  of  justice: 

•  Distributive  justice  involves  fairness  of  the  distribution  of  resources  within  the  organization, 
either  tangible  forms,  such  as  payment  and  rewards,  or  intangible  forms,  such  as  praise  and 
recognition.  For  example,  aligning  salaries  and  benefits  to  comparable  industry  benchmarks 
can  help  facilitate  perceptions  of  fairness. 

•  Procedural  justice  involves  fairness  of  the  processes  and  procedures  in  the  organization  that 
involve  outcomes  important  to  employees.  Employees’  sense  of  organization  support  comes 
from  the  consistency  and  fairness  of  procedures  involving  performance  appraisals,  for  exam¬ 
ple. 

•  Interactional  justice  involves  the  quality  of  treatment  employees  receive  as  the  organization 
makes  decisions  that  affect  them,  such  as  interpersonal  explanation  of  decisions  in  a  respect¬ 
ful  and  informative  way  (sometimes  called  interpersonal  justice  and  informational  justice,  re¬ 
spectively).  For  example,  perceptions  of  interactional  justice  may  depend  on  a  compassionate 
and  flexible  response  to  an  employee’s  request  for  time  off  to  deal  with  an  ailing  parent  or 
child. 

While  feelings  that  an  employer’s  actions  are  fair  and  equitable  may  come  over  many  years  of  an 
employee’s  experience,  involving  the  employee’s  perception  of  the  organization’s  treatment  of 
their  co-workers  and  self,  these  three  types  of  justice  allow  us,  in  our  research,  to  identify  specific 
practices  that  can  bolster  the  employee’s  overall  sense  of  fairness.  Threads  associated  with  these 
justice  types  appear  in  the  following  sections. 

Adequate  Rewards  and  Recognition 

Advancement  enabled 


Figure  20:  Factors  Involved  in  Adequate  Rewards  and  Recognition 

Some  prominent  research  has  found  that  extrinsic  incentives,  such  as  pay  raises  and  rewards,  can 
reduce  an  individual’s  intrinsic  sense  of  satisfaction  and  fulfillment.  However,  in  general,  that  re¬ 
search  only  weakly  links  the  incentive  with  performance.  Beyond  distributive  justice,  rewards  and 
recognition  that  are  strongly  linked  to  performance  can  boost  an  employee’s  sense  of  competence 

CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  29 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


and  mastery,  which,  as  a  result,  increases  perceptions  of  organizational  support.  Organizational 
rewards  and  recognition,  which  are  discretionary  by  management  or  peers,  have  a  much  greater 
effect  on  feelings  of  organizational  support  than  across-the-board  recognition.  In  addition,  align¬ 
ing  salaries  and  benefits  to  comparable  industry  benchmarks  can  help  facilitate  perceptions  of 
fairness. 

Making  sure  employees  know  about  the  total  remuneration,  including  benefits,  may  be  important 
especially  where  organizations  are  restricted  in  the  salary  levels  that  can  be  offered.  Promotions 
should  also  be  aligned  across  the  organization  with  the  level  of  employee  responsibility  and  per¬ 
formance. 

Problems  can  occur  in  organizations  where  the  primary  means  of  advancement  is  into  manage¬ 
ment  positions  different  from  the  technical  positions  into  which  employees  are  hired.  Manage¬ 
ment  skills  are  a  discipline  of  their  own;  there  is  no  guarantee  that  technical  people  have  such 
skills.  Creating  a  technical  track  of  advancement  separate  from  the  management  track  can  help 
ameliorate  these  problems. 

Effective  Communication 


Staff  feel  the  org 

communicates  well 


Effective  communication 
during  normal  course  of 
business 


Regular  employee 
orientation,  mentoring, 
expectation  setting 


Intra-  and  inter-group  information 
provided  helps  employees  fulfill 
their  responsibilities 

Communication  of  the 
discretionary  nature  of 
organization  actions  that 
benefit  employees 


Effective  communication 
during  potentially  adverse 
events 


Constructive  guidance  on 
performance  improvement 


Transparent  accounting  for 
organizational  actions  and 
their  impact  on  employee 


Conflict  resolution,  grievance,  and 
anonymous  commenting  procedures 
available  and  encouraged 


Figure  21:  Factors  Involved  in  Effective  Communication 


Management’s  effective  communication  with  employees  starts  from  day  one  of  an  employee’s 
tenure  with  new-employee  orientation  and  mentoring  to  help  establish  the  new  employee’s  posi¬ 
tion  in  the  organization.  Effective  communication  supports  an  employee’s  feelings  of  organiza¬ 
tional  support  during  both  good  and  bad  times.  The  greatest  gains  in  perception  of  organizational 
support  come  when  management  voluntarily  acts  in  favorable  ways  to  employees,  rather  than,  for 
example,  as  a  result  of  contractual  agreements  or  regulations.  However,  management  needs  to 
communicate  the  discretionary  nature  of  their  actions  and  the  benefit  to  the  employees.  Managers 
should  facilitate  information  sharing  among  and  within  groups,  especially  because  it  helps  em¬ 
ployees’  work  performance. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


30 


Reduction  in  POS  due  to  unfavorable  treatment  may  be  lessened  through  effective  communica¬ 
tion.  For  example,  the  organization  may  justify  the  treatment  as  outside  the  organization’s  control, 
diplomatically  explain  the  legitimacy  of  the  treatment,  or,  in  some  cases,  simply  apologize  for  ad¬ 
mitted  poor  treatment  and  rectify  the  matter  in  the  future.  Transparently  accounting  for  manage¬ 
ment  actions  and  conditions  may  be  the  best  way  to  ensure  employees  feel  fairly  treated.  Up-front, 
explicit  expectation  setting  may  also  help  prevent  employees  from  forming  unrealistic  expecta¬ 
tions  that  will  ultimately  fail  to  be  fulfilled. 

Employees’  sense  of  organization  support  also  comes  from  consistency  and  fairness  of  the  proce¬ 
dures  involving  performance  appraisals,  which  rely  on  managers’  effective  communication.  Of 
course,  performance  improvement  plans  may  be  necessary,  but  should  be  conducted  construc¬ 
tively  with  a  focus  on  the  positive  aspects  of  employee  performance,  rather  than  dwelling  on  the 
negative  aspects. 

Fair  grievance  and  conflict  resolution  procedures  should  be  in  place  to  address  issues  as  they 
come  up.  For  individuals  reluctant  to  express  their  concerns,  anonymous  commenting  procedures 
may  serve  a  useful  purpose.  Managers  need  to  both  effectively  communicate  to  and  facilitate 
communication  from  employees. 

Supportive  Management 


Professional  development  for 
furthering  employee  careers 
and  sense  of  mastery 

Expanding  jobs  according  to 
employee  strengths  and  interests 
with  potential  for  special  projects 

1  / 

Level  of  autonomy 
commensurate  with  experience 
and  competence 

Supportive  management  1 
■yt  during  normal  course  of  - - - __ 

Collaborative  work  projects  or 

Staff  feel  supervisors  / 
support  them  well 

//  business 

- >  job  rotation  for  those 

interested  in  other  areas 

Supportive  management 

^  Flexibility  and  respectfulness  upon 

during  adverse  events 

employee  special  requests  and  needs 

\ 

Helping  employees  struggling  with 
work  assignments  through  workload 
balancing  and  project  rightsizing 

--AI 

Confidential  employee  assistance 
programs  providing  an  impartial  third- 
party  to  discuss  issues  both  personal 
and  professional 

Figure  22:  Factors  Involved  in  Supportive  Management 


For  the  purposes  of  this  report,  supportive  management  deals  mostly  with  interactional  justice  as¬ 
sociated  with  the  treatment  employees  receive  from  their  direct  supervisors.  Supervisors  need  to 
know  their  direct  reports  well  to  make  informed  decisions  regarding  their  work  assignments  and 
daily  work  execution.  Making  sure  employees  have  the  resources  needed  to  execute  task  demands 
is  essential.  Providing  these  resources  and  opportunities  for  professional  development  chosen  by 
the  employee  facilitates  the  employees’  feelings  of  mastery  of  their  domain  of  interest,  job  en¬ 
gagement,  and  support  by  the  organization  in  furthering  their  careers. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


31 


Employees  that  perform  well  can  be  given  opportunities  to  identify  and/or  participate  in  special 
projects,  as  long  as  those  opportunities  are  available  to  all  employees.  Supportive  supervisors  can 
grant  an  employee  a  level  of  autonomy  commensurate  with  that  employee’s  experience  and  com¬ 
petence.  Employees  interested  in  the  work  of  other  teams  can  be  given  the  opportunity  to  work  on 
joint  projects  or  rotate  to  other  teams  in  the  organization  in  which  they  have  an  interest. 

Supportive  management  also  pertains  to  times  when  the  employee  is  experiencing  difficulties.  As 
mentioned,  perceptions  of  interactional  justice  may  depend  on  a  supervisor’s  compassionate  and 
flexible  response,  for  example,  to  an  employee’s  request  for  time  off  to  deal  with  medical  issues. 
When  problems  arise  with  an  employee’s  performance,  appreciative  inquiry  can  be  a  way  to  focus 
and  build  on  what  is  going  well — a  much  more  self-affirming  and  effective  approach  than  focus¬ 
ing  on  what  is  going  wrong  [Whitney  2010]. 

Workload  balancing  may  be  necessary  in  cases  where  high  performers  are  executing  more  than 
their  fair  share  of  the  work  across  employees  of  comparable  levels.  Another  problem  arises  when 
employees  are  split  across  so  many  projects  that  the  overhead  associated  with  context  switching 
degrades  performance  or  just  makes  the  job  miserable.  Rightsizing  the  number  of  projects  per  per¬ 
son  can  improve  employees’  feelings  of  organizational  support.  The  organization  should  provide 
and  managers  should  encourage  employee  assistance  programs  to  help  with  difficulties  both  per¬ 
sonal  and  professional. 


Effective  Working  Conditions 


Figure  23:  Factors  Involved  in  Effective  Working  Conditions 


Issues  dealt  with  previously,  such  as  management  supportiveness  and  organizational  communica¬ 
tion,  certainly  influence  the  quality  of  the  overall  work  environment.  However,  many  working 
conditions  are  so  ingrained  in  an  organization’s  way  of  doing  things  that  they  may  be  barely  no¬ 
ticeable  to  management.  These  conditions  may  actually  be  part  of  the  culture  of  the  organization, 
which  we  discuss  in  detail  in  the  next  section. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


32 


Effective  working  conditions  deal  with  issues  that  may  receive  little  attention.  However,  unless 
they  are  explicitly  acknowledged,  they  may  leave  some  employees  feeling  unsupported.  These 
implicit  working  conditions  vary  greatly  by  organization,  but  may  include  bigger  issues,  such  as 
terms  of  employment,  work-hour  or  location  flexibility,  and  work-family  policies,  or  smaller  is¬ 
sues  such  as  acceptable  office  temperature.  Some  of  these  issues  may  be  flexibly  addressed  by 
lower  level  managers.  However,  if  they  are  ingrained  in  culture  and  policy,  they  may  present  big¬ 
ger  obstacles  to  employees.  Organizations  need  to  consider  the  many  potential  issues  involving 
working  conditions  in  creating  an  environment  that  is  supportive  to  employees. 

5.3  Sociocultural  Considerations 

Sociocultural  considerations  at  the  individual,  group,  and  organizational  levels  are  also  pertinent 
to  the  successful  adoption  of  positive  incentives  that  reduce  the  insider  threat.  This  importance  is 
due,  in  part,  to  the  diverse  cultural  backgrounds  of  the  individuals  employed  by  organizations  as 
well  as  the  culture  and  subcultures  of  the  organization  and  its  subunits. 

Today,  the  workforce  employed  by  organizations  in  the  United  States  commonly  includes  individ¬ 
uals  who  were  bom  and  reared  outside  the  city,  state,  and  region  of  the  organization’s  location  as 
well  as  outside  the  United  States.  According  to  the  Bureau  of  Labor  and  Statistics,  in  2014,  16.6% 
of  those  employed  (16  years  old  and  over)  were  foreign  born.7  The  majority,  30.7%,  of  the  for¬ 
eign-born  were  employed  in  the  fields  of  management,  professional,  and  related  occupations. 

The  cultural  diversity  of  the  workforce  has  created  organizations  that  can  be  described  as  being 
culturally  heterogeneous.  This  cultural  heterogeneity  may  require  organizations  to  consider  the 
cultural  composition  of  the  workforce  and  the  culturally  relevant  motivators  that  encourage  em¬ 
ployees  to  act  consistent  with  their  interest.  For  example,  cultural  variations  in  communication, 
concepts  of  time,  and  degree  of  individualism  and  collectivism  adopted  from  their  birth  countries 
may  directly  impact  how  individuals  and  groups  consume  and  interpret  workforce  management 
practices. 

When  communicating,  meaning  and  context  cannot  be  decoupled,  and  it  is  important  for  manage¬ 
ment  to  examine  meaning  and  context  together.  The  high-low  context  continuum  created  by  Hall 
in  1976  considers  both  meaning  and  context,  and  places  cultures  along  a  dimension  spanning  from 
high  context  to  low  context  [Hall  1976].  This  continuum  provides  insights  for  understanding  cul¬ 
turally  significant  differences  between  cultures  and  communication. 

In  high-context  cultures,  cultural  knowledge  is  implicit,  and  contextually  bound  non-verbal  as¬ 
pects  of  communication  are  as  important  as  is  the  silence  that  accompanies  the  explicit  verbal 
code  (i.e..  the  words  themselves).  The  focus  of  the  high-context  culture  is  people  and  relationships 
and,  through  these  relationships,  an  understanding  of  the  non-verbal  aspects  of  communication 
find  meaning.  In  a  low-context  culture,  knowledge  is  explicit  and  communication  in  both  written 
and  spoken  form  is  explicit  and  based  on  direct  statements.  In  low-context  cultures,  the  listener 
understands  the  message  as  it  was  intended  [Hall  1976]. 


http://www.bls.gov/news.release/forbrn.t04.htm 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


33 


How  people  perceive  and  organize  time  and  space  is  a  sociocultural  construct  that  influences  our 
daily  lives — how  we  interact  with  others  and  how  we  perceive  our  past  and  future.  Based  on  eth¬ 
nographic  research,  Hall  proposed  two  variant  solutions  of  how  time  and  space  are  culturally  or¬ 
ganized — monochromic  and  polychromic  time.  Cultures  with  polychromic  tendencies  view  time 
as  something  that  is  fluid,  flexible,  and  adjustable  to  fit  the  needs  of  the  individual  or  group.  In 
monochromic  cultures,  time  is  viewed  as  something  that  is  structured  and  can  be  compartmental¬ 
ized  and  wasted  [Hall  1976].  Tardiness  to  meetings,  pre -meeting  conversation,  or  interruptions  are 
acceptable  in  polychromic  cultures,  while  it  is  considered  unacceptable  in  monochromic  cultures. 

Broad  generalizations  about  the  sociocultural  construct  of  a  country  can  be  found  in  Hofstede’s 
dimensions  of  individuals  and  collectivism.  Individualism  and  collectivism  each  represent  a  set  of 
distinguishing  values;  a  position  on  the  dimension  reflects  a  focus  of  either  “I”  (the  individual)  or 
“we”  (the  collective  group).  On  a  scale  of  0  to  100,  the  most  collectivistic  countries  are  closest  to 
0,  and  those  with  high  individualistic  traits  are  closer  to  100. 

Interpersonal  relationships  and  trust  are  important  to  all  aspects  of  life  in  high-context  and  collec¬ 
tivistic  societies.  Behavior  in  collectivistic  societies  is  governed  by  in-group  norms  with  a  focus 
toward  the  good  of  the  collective  group  versus  the  good  of  the  individual.  Collectivistic  cultures 
value  a  sense  of  self-respect  and  having  the  acceptance  and  approval  of  one’s  peers,  supervisors, 
and  family  members.  Conflict  can  arise  from  the  violation  of  boundaries,  norms  of  group  loyalty 
and  commitment,  reciprocal  obligations,  and  trust.  When  dealing  with  conflicts  or  problems,  high- 
context,  collectivistic  societies  focus  on  the  social  aspects  and  implications  of  a  problem  [Guess 
2004].  According  to  Guess,  members  of  these  societies  value  security  (of  the  group);  are  more 
risk-avoiding;  and  follow  passive,  collaborative,  and  avoidance  strategies. 

In  summary,  when  organizations  design  and  deploy  positive  incentives,  they  should  consider  the 
sociocultural  composition  of  the  workforce.  This  consideration  ensures  their  practices  provide 
motivators  for  individuals  and  groups  with  high-context,  polychromic  collectivistic  tendencies 
and  low-context,  monochromic,  and  individualistic  tendencies.  For  example,  individuals  with 
high-context,  polychromic,  and  collectivistic  tendencies  might  respond  best  to  practices  that  illus¬ 
trate  the  positive  benefits  to  the  group  and  the  long-term  impacts.  Individuals  with  low-context, 
monochromic,  and  individualistic  tendencies  might  respond  best  to  practices  that  illustrate  the 
positive  to  the  individual  and  include  short-  and  long-term  impacts. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


34 


6  Conclusions  and  Future  Work 


Traditional  insider  threat  management  involves  practices  that  constrain  users,  monitor  their  be¬ 
havior,  and  detect  and  punish  misbehavior.  Such  negative  incentives  attempt  to  force  employees 
to  act  in  the  interests  of  the  organization  and,  when  relied  on  excessively,  can  result  in  negative 
unintended  consequences  that  exacerbate  the  threat  [Moore  2015]. 

Positive  incentives  that  attempt  to  attract  employees  to  act  in  the  interests  of  the  organization  can 
complement  negative  incentives.  We  identified  and  analyzed  three  avenues  for  aligning  the  inter¬ 
ests  of  the  employee  and  the  organization:  job  engagement,  perceived  organizational  support,  and 
connectedness  with  co-workers.  This  report  describes  research  that  provides  evidence  that  a  par¬ 
ticular  set  of  positive  incentives  focused  on  increasing  organizational  support  to  employees  can 
reduce  the  insider  threat. 

In  summary,  this  report  describes  our  research  progress  in  several  areas: 

•  Analyzing  several  high-profile  insider  incidents  for  the  levels  of  job  engagement,  co-worker 
connectedness,  and  perceived  organization  support  evident  during  the  incident  timeline.  Per¬ 
ceived  organizational  support  was  found  to  be  extremely  negative,  while  job  engagement  and 
co-worker  connectedness  were  found  to  be  low,  but  not  necessarily  in  the  extreme.  These  in¬ 
cident  case  studies  suggested  focusing  on  organizational  support  in  our  survey  research. 

•  Conducting  a  survey  of  individuals  responsible  for  establishing  insider  threat  programs  in 
organizations.  Supporting  and  extending  previous  research,  we  found  a  negative  correlation 
between  perceived  organizational  support  and  intentional  (primarily  malicious)  counterpro¬ 
ductive  work  behaviors.  A  somewhat  weaker  negative  correlation  was  also  found  between  or¬ 
ganizational  justice  and  these  behaviors.  The  relationships  were  found  to  be  statistically  sig¬ 
nificant  at  the  95%  confidence  level.  However,  the  exploratory  nature  of  our  initial  analysis 
does  not  permit  us  to  generalize  this  relationship  to  the  larger  population  of  organizations. 

•  Developing  a  simulation  model  that  illustrates  the  value  of  positive  incentives.  We  developed 
a  system  dynamics  model  based  on  published  data  and  simple  (but  arguable)  assumptions 
showing  how  positive  incentives  can  increase  a  program’s  operational  efficiency  with  re¬ 
duced  investigative  costs  and  fewer  incidents  involving  disgruntled  or  exploitive  insiders.  Our 
incident  analysis  and  survey  work  provided  validation  of  the  simulation  model  structure  (i.e., 
the  stock  and  flow  structure  of  the  system  dynamics  model).  We  will  continue  to  calibrate  our 
model  based  on  future  research  and  expect  to  demonstrate  similar  benefits  as  our  work  pro¬ 
gresses. 

Our  research  raises  many  questions  about  how  an  insider  threat  program  can  or  should  incorporate 
positive  incentives  that  improve  employees’  perceptions  of  support  by  the  organization.  Our  re¬ 
search  established  negative  correlations  between  positive  employee  attitudes  regarding  organiza¬ 
tional  support  and  frequency  of  cyber-related  insider  misbehavior  for  the  organizations  surveyed; 
however,  more  research  is  needed  to  demonstrate  that  those  positive  attitudes  cause  less  misbe¬ 
havior  and  that  the  survey  results  generalize  to  the  larger  population  of  organizations  establishing 
insider  threat  programs. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


35 


In  parallel  with  the  above  foundational  research,  we  plan  to  work  with  individual  organizations  to 
focus  on  what  we  believe  to  be  the  key  to  a  successful  insider  threat  program:  identifying  the  mix 
of  positive  and  negative  incentives  that  creates  a  net  positive  for  both  the  employee  and  the  organ¬ 
ization.  This  report  elaborates  candidate  positive  incentive-based  principles  and  practice  areas,  but 
this  is  just  a  first  step.  The  challenge  is  that  people  respond  to  incentives  differently  depending  on 
the  culture  of  the  organization,  the  nature  of  their  job,  and  their  personality.  Fortunately,  existing 
theory  provides  insight  into  these  differences  and  help  organizations  build  a  transition  process  to 
develop  the  right  balance  of  positive  and  negative  incentives.  Such  incentives  promote  employee 
satisfaction,  performance,  and  retention,  and  ultimately  help  organizations  become  more  effective 
at  reducing  the  insider  threat. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


36 


Appendix  A  Research  Landscape 


Figure  24  provides  an  overview  of  our  research  in  the  context  of  related  research,  development, 
and  practice.  In  general,  the  top  left  provides  a  two-dimensional  partition  that  focuses  on  the  HR 
domain,  while  the  bottom  right  provides  a  two-dimensional  partition  that  focuses  on  the  cyberse¬ 
curity  domain.  Our  research  is  positioned  at  the  nexus  of  these  two  domains  with  a  focus  on  early- 
stage  disincentivization  of  insider  threats  using  positive  incentives  that  benefit  both  the  employee 
and  the  organization. 


Court  ter  product!  vity, 
Security  Threats 


Traditional 
IT  Security 
Measures 


Negative 
Incentives ' 


Old-School 
HR  Domain 


Our  Focus 

★ - 

Studies  Relating 
Employee  Engagement  to 
Fewer  Counterproductive 
Work  Behaviors 

Positive 

Incentives 


The  novel  aspect  of  this  work  is  early 
threat  disincentivization  using 
approaches  that  benefit  both  the 
employee  and  the  organization. 

I 
i 
t 
\ 

\ 


Modern  HR  Domain, 
Positive  Psychology, 
Employee  Engagement 


Early  Stage, 
Motivation  Formation 


\  Our  Focus 


Productivity, 

Performance 


Soft-Power 
Approaches  to 
External  Threat 


X-Axis:  Practice  Type 
Y-Axis:  Practice  Target 


External 
Threats 
(inc.  Masqueraders) 


Intrusion  and 
Behavior  Anomaly 
Detect/Respond 


Psycho/Socio/Technical 
Approaches,  Including 
Sentiment  Analysis 

Insider 
Threats 
(Traitors) 

Traditional  Insider 
Attack  Detect/Respond 


X-Axis:  Malicious  Threat  Type 
Y-Axis:  Stage  of  Mitigation 


Late  Stage, 

Detection  and  Response 


Figure  24:  Research  Landscape 


The  partition  in  the  top  left  of  Figure  24  breaks  the  space  by  practice  type  and  practice  target. 
Along  the  X  axis,  practice  type  is  split  into  negative  and  positive  incentives.  Along  the  Y  axis,  the 
target  of  the  practice  addresses  whether  the  primary  intent  is  improving  employee  productivity  or 
performance  versus  decreasing  counteiproductivity  or  security  threats.  Negative  incentives  em¬ 
body  the  traditional  information  technology  (IT)  security  approach  of  constraining  and  detective 
policies  and  technologies.  They  are  also  the  core  of  old-school  HR  practice  that  focused  on  rules 
for  proper  employee  behavior  and  punishment  for  misbehavior. 

While  a  balanced  approach  focuses  on  a  combination  of  positive  and  negative  incentives,  positive 
incentives  have  been  studied  extensively  in  the  modern  era  [Levy  2013,  Smither  2009].  By  far, 
most  of  this  research  focuses  on  the  benefits  of  this  approach  for  improved  productivity,  perfor¬ 
mance,  and  retention,  including  relatively  recent  focus  in  an  area  called  “positive  psychology” 
[Seligman  2012].  While  much  of  the  recent  practice-based  literature  focuses  on  a  concept  called 
“work  engagement,”  researchers  have  noted  that  this  concept  is  actually  a  conflation  of  a  lot  of 
previously  established  social  science  theories  and  domains  of  research  [Meyer  2013]. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


37 


The  partition  in  the  bottom  right  portion  of  Figure  24  breaks  the  space  into  malicious  threat  type 
and  stage  of  mitigation.  While  we  do  not  consider  unintentional  threats,  we  represent  the  insider 
(employee)  threat  on  the  right  and  the  external  threat  on  the  left,  including  non-insiders  that  break 
into  an  organization’s  systems  and  masquerade  as  an  authorized  insider.  Along  the  Y  axis  we  in¬ 
clude  everything  from  early-stage  formation  of  threat  actor  motivations  to  late-stage  detection  and 
response  to  harmful  behaviors. 

The  bulk  of  cybersecurity  research,  development,  and  practice  covers  the  external  threat  on  the 
left  side  of  the  partition,  especially  in  the  later  stage.  Relatively  little  research  has  been  conducted 
on  early-stage  mitigation  of  the  external  threat,  as  might  be  investigated  using  soft-power  ap¬ 
proaches  to  cybersecurity  [Nye  2011].  While  traditional  insider  threat  detection  and  response  ap¬ 
proaches  focus  on  later  stage  activities  [Salem  2008],  our  research  focuses  on  the  early-stage  mo¬ 
tivation  formation.  And  rather  than  focusing  on  early-stage  detection  of  at-risk  behaviors,  such  as 
in  other  research  [Brown  2013,  Brdiczka  2012,  Greitzer  2010],  we  focus  on  the  prevention  of  em¬ 
ployee  alienation  by  fostering  positive  attitudes  about  the  organization  and  the  employee’s  work 
experience. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  38 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


Appendix  B  Scales  Used  in  Incident  Coding 


Perceived  Organizational  Support  Scale  [Eisenberger  1986] 


-2 

1 

0 

1 

1 

+2 

w 

Strongly  Disagree: 

1 

Disagree: 

1 

Neither  Agree  nor 

1 

Agree: 

• 

Strongly  Agree: 

Perceives  Org  as 

Perceives  Org  as 

Disagree: 

Perceives  Some 

Perceives  Absolute 

Antagonistic 

Actively 

Perceives  Org  as 

Support  from  Org 

Support  from  Org 

(eg,  org  sabotages 

Disinterested 

Not  Paying 

(eg,  managers  helpful 

(eg,  active  concern 

efforts,  org  harshly 

(eg,  manager 

Attention 

when  asked, 

for  employee, 

critical,  emp  criticizes 

avoids  contact. 

(eg,  managers  go 

feedback  provided 

constructive 

the  org) 

unconstructive 

through  motions 

but  sometimes 

feedback, 

feedback) 

but  difficult  to  get 
their  time  to 
discuss  work 
issues) 

unconstructive) 

EAP  availability) 

Figure  25:  Perceived  Organizational  Support  Scale 


To  what  extent  would  the  subject  of  the  incident  agree  or  disagree  with  the  following  statements 
about  the  victim  organization? 

1 .  The  organization  values  my  contribution  to  its  well-being. 

2.  The  organization  appreciates  the  extra  effort  I  give. 

3.  The  organization  would  respond  to  complaints  I  might  have. 

4.  The  organization  really  cares  about  my  well-being. 

5.  The  organization  would  notice  if  and  when  I  do  exceptional  work. 

6.  The  organization  cares  about  my  general  satisfaction  at  work. 

7.  The  organization  shows  concern  for  me. 

8.  The  organization  takes  pride  in  my  accomplishments  at  work. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


39 


Job  Engagement  Scale  [Schaufeli  2006] 


-2 

a 

1 

0 

1 

1 

+2 

V 

1 

1 

1 

- • 

Strongly  Disagree: 

Disagree: 

Neither  Agree  nor 

Agree: 

Strongly  Agree 

Actively  Disengaged 

Mildly  Disengaged 

Disagree: 

Mildly  Engaged 

Thoroughly  Engaged 

(eg,  emp  looking  for 

(eg,  emp  are  checked 

Neither  engaged  nor 

(eg,  is  engaged  in 

(eg,  enthusiastic, 

new  job,  frequent 

out,  sleepwalking 

disengaged 

work  while  there  but 

dedicated,  absorbed  at 

absence/tardiness, 

through  the  day, 

(eg,  performs 

does  not  put  any 

work  and  in  job  most  of 

depression,  late  with 
assignments  or 
complete  non¬ 
performance, 
disrupting  others’ 
work) 

putting  time  in  only) 

adequately  while  on 
job  but  watches  clock 
and  doesn’t 
volunteer) 

extra  effort  beyond 
normal  work  hours) 

the  time) 

Figure  26:  Job  Engagement  Scale 


For  the  incident  in  question,  to  what  extent  do  you  agree  or  disagree  with  the  following  statements 
about  the  subject’s  job  in  the  victim  organization?  (Note:  questions  1-3  are  about  the  employee’s 
vigor  in  their  job;  questions  4-6  are  about  the  employee’s  dedication  to  their  job;  and  questions  7- 
9  are  about  the  employee’s  absorption  in  their  job.) 

1 .  At  work,  I  feel  bursting  with  energy. 

2.  At  my  job,  I  feel  strong  and  vigorous. 

3.  When  I  get  up  in  the  morning,  I  feel  like  going  to  work. 

4.  I  am  enthusiastic  about  my  job. 

5.  My  job  inspires  me. 

6.  I  am  proud  of  the  work  that  I  do. 

7.  I  feel  happy  when  I  am  working  intensely. 

8.  I  am  immersed  in  my  work. 

9.  I  get  carried  away  when  working. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


40 


Connectedness  with  Co-Workers  Scale  [Brien  2012,  Malone  2012] 


-2 

1 

0 

1 

1 

+2 

V 

Strongly  Disagree: 

1 

Disagree: 

1 

Neither  Agree  nor 

1 

Agree: 

w 

Strongly  Agree: 

Antagonistic  with 

Conflict  with 

Disagree: 

Mostly  Professional 

High  Level  of 

Coworkers 

Coworkers 

Isolated  from 

with  Coworkers 

Connectedness 

(eg,  lack  of  relations 

(eg,  minimal  relations 

Coworkers 

(eg,  friendly  with 

(eg,  friends  with 

needed  to  do  job, 

with  some  conflict 

(eg,  maintaining 

coworkers  but 

coworkers  including 

lots  of  conflict 

that  disrupts  work) 

some  relations  to  do 

infrequently  outside 

frequent  social 

disrupting  work 
across  projects) 

work  only) 

work) 

functions) 

Figure  27:  Connectedness  with  Co-Workers  Scale 


For  the  incident  in  question,  to  what  extent  do  you  agree  or  disagree  with  the  following  statements 
about  the  subject’s  connection  with  co-workers  in  the  victim  organization? 


1. 

2. 

3. 

4. 

5. 

6. 

7. 

8. 

9. 

10. 


When  I’m  with  the  people  from  my  work  environment,  I  feel  understood. 

When  I’m  with  the  people  from  my  work  environment,  I  feel  heard. 

When  I’m  with  the  people  from  my  work  environment,  I  feel  as  though  I  can  trust  them. 
When  I’m  with  the  people  from  my  work  environment,  I  feel  I  am  a  friend  to  them. 
When  I’m  with  the  people  from  my  work  environment,  I  feel  included. 

I  have  close  bonds  with  the  people  from  my  work  environment. 

I  feel  accepted  by  the  people  from  my  work  environment. 

I  have  a  sense  of  belonging  in  my  work  environment. 

I  have  a  place  at  the  table  with  others  in  my  work  environment. 

I  feel  connected  with  others  in  my  work  environment. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


41 


Appendix  C  Survey  Components 


Organizational  Justice  [Moorman  1991] 

Distributive  Justice 

1 .  My  work  schedule  is  fair. 

2.  I  think  that  my  level  of  pay  is  fair. 

3.  I  consider  my  workload  to  be  quite  fair. 

4.  Overall,  the  rewards  I  receive  here  are  quite  fair. 

5.  I  feel  that  my  job  responsibilities  are  fair. 

Procedural  Justice 

1 .  Job  decisions  are  made  by  the  general  manager  in  an  unbiased  manner. 

2.  My  general  manager  makes  sure  that  all  employee  concerns  are  heard  before  job  deci¬ 
sions  are  made. 

3.  To  make  job  decisions,  my  general  manager  collects  accurate  and  complete  information 
when  requested  by  employees. 

4.  My  general  manager  clarifies  decisions  and  provides  additional  information  when  re¬ 
quested  by  employees. 

5.  All  job  decisions  are  applied  consistently  across  all  affected  employees. 

6.  Employees  are  allowed  to  challenge  or  appeal  job  decisions  made  by  the  general  man¬ 
ager. 

Interactional  Justice 

1.  When  decisions  are  made  about  my  job,  the  general  manager  treats  me  with  kindness  and 
consideration. 

2.  When  decisions  are  made  about  my  job,  the  general  manager  treats  me  with  respect  and 
dignity. 

3.  When  decisions  are  made  about  my  job,  the  general  manager  is  sensitive  to  my  personal 
needs. 

4.  When  decisions  are  made  about  my  job,  the  general  manager  deals  with  me  in  a  truthful 
manner. 

5.  When  decisions  are  made  about  my  job,  the  general  manager  shows  concern  for  my 
rights  as  an  employee. 

6.  Concerning  decisions  made  about  my  job,  the  general  manager  discusses  the  implications 
of  the  decisions  with  me. 

7.  The  general  manager  offers  adequate  justification  for  decisions  made  about  my  job. 

8.  When  making  decisions  about  my  job,  the  general  manager  offers  explanations  that  make 
sense  to  me. 

9.  My  general  manager  explains  very  clearly  any  decision  made  about  my  job. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


42 


Survey  of  Perceived  Organizational  Support  (SPOS)  [Eisenberger  1986] 

1 .  The  organization  values  my  contribution  to  its  well-being. 

2.  If  the  organization  could  hire  someone  to  replace  me  at  a  lower  salary  it  would  do  so.  -R8 

3.  The  organization  fails  to  appreciate  any  extra  effort  from  me.  -R 

4.  The  organization  strongly  considers  my  goals  and  values. 

5.  The  organization  would  understand  a  long  absence  due  to  my  illness. 

6.  The  organization  would  ignore  any  complaint  from  me.  -R 

7.  The  organization  disregards  my  best  interests  when  it  makes  decisions  that  affect  me.  -R 

8.  Help  is  available  from  the  organization  when  I  have  a  problem. 

9.  The  organization  really  cares  about  my  well-being. 

10.  The  organization  is  willing  to  extend  itself  to  help  me  perform  my  job  to  the  best  of  my 
ability. 

1 1 .  The  organization  would  fail  to  understand  my  absence  due  to  a  personal  problem.  -R 

12.  If  the  organization  found  a  more  efficient  way  to  get  my  job  done  they  would  replace  me. 
-R 

13.  The  organization  would  forgive  an  honest  mistake  on  my  part. 

14.  It  would  take  only  a  small  decrease  in  my  performance  for  the  organization  to  want  to  re¬ 
place  me.  -R 

15.  The  organization  feels  there  is  little  to  be  gained  by  employing  me  for  the  rest  of  my  ca¬ 
reer.  -R 

16.  The  organization  provides  me  little  opportunity  to  move  up  the  ranks.  -R 

17.  Even  if  I  did  the  best  job  possible,  the  organization  would  fail  to  notice.  -R 

18.  The  organization  would  grant  a  reasonable  request  for  a  change  in  my  working  condi¬ 
tions. 

19.  If  I  were  laid  off,  the  organization  would  prefer  to  hire  someone  new  rather  than  take  me 
back.  -R 

20.  The  organization  is  willing  to  help  me  when  I  need  a  special  favor. 

2 1 .  The  organization  cares  about  my  general  satisfaction  at  work. 

22.  If  given  the  opportunity,  the  organization  would  take  advantage  of  me.  -R 

23.  The  organization  shows  very  little  concern  for  me.  -R 

24.  If  I  decided  to  quit,  the  organization  would  try  to  persuade  me  to  stay. 

25.  The  organization  cares  about  my  opinions. 

26.  The  organization  feels  that  hiring  me  was  a  definite  mistake.  -R 

27.  The  organization  takes  pride  in  my  accomplishments  at  work. 

28.  The  organization  cares  more  about  making  a  profit  than  about  me.  -R 

29.  The  organization  would  understand  if  I  were  unable  to  finish  a  task  on  time. 

30.  If  the  organization  earned  a  greater  profit,  it  would  consider  increasing  my  salary. 

3 1 .  The  organization  feels  that  anyone  could  perform  my  job  as  well  as  I  do.  -R 

32.  The  organization  is  unconcerned  about  paying  me  what  I  deserve.  -R 

33.  The  organization  wishes  to  give  me  the  best  possible  job  for  which  I  am  qualified. 

34.  If  my  job  were  eliminated,  the  organization  would  prefer  to  lay  me  off  rather  than  transfer 
me  to  a  new  job.  -R 

35.  The  organization  tries  to  make  my  job  as  interesting  as  possible. 

36.  My  supervisors  are  proud  that  I  am  a  part  of  this  organization. 


R  indicates  that  the  item  is  reverse  scored. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


43 


CY-CWB 


On  average,  how  frequently  does  each  non-accidental  employee  behavior  occur  at  your  organization?  Please  estimate  if  you  cannot 
remember. 

Occasionally  =  at  least  once  a  year 
Sometimes  =  at  least  once  every  other  month 
Often  =  at  least  once  a  week 
All  the  time  =  at  least  once  daily  * 

In  your  opinion,  how  often  does  this  employee  behavior  typically  occur  at  your 
organization? 


Purposely  damaging  a  piece  of  equipment  that  the  organization 
owns.  * 

[  —  Please  Select  -- 

Purposely  vandalizing  a  company  website.  * 

[  —  Please  Select  -- 

Purposely  took  a  non-trivial  item(s)  valued  over  $25  without 
permission.  * 

[  —  Please  Select  --  pj 

Purposely  reading  sensitive  documents  not  authorized  to  read.  * 

[  —  Please  Select  —  pj 

Purposely  damaging  someone's  work  product  (reports,  repository, 
blogs,  etc).  * 

[  —  Please  Select  --  [  ▼ 

Purposely  inhibiting  a  coworker's  progress.  * 

[  -- Please  Select  —  p" 

Purposely  logging  into  an  assigned  work  computer  during  business  hours  to  appear 
as  if  working  but  not  actually  working.  * 

[  -- Please  Select  —  pj 

Purposely  producing  work  that  was  low  quality  when  high  quality  work  was  easy 
and  possible.  * 

[  -- Please  Select --  pj 

Purposely  installing  software  to  harm  organization.  • 

[  --  Please  Select  —  p 

Purposely  sending  an  email  to  harm  another  person's  computer.  * 

[  —  Please  Select  --  |  ▼  | 

Purposely  providing  coworkers  with  sensitive  information  for  which  they 
were  not  authorized.  * 

[  —  Please  Select  —  pj 

Purposely  and  inappropriately  transmitting  employer's  proprietary 
information  internally.  • 

[  --  Please  Select  - 

Purposely  taking  physical  or  electronic  copies  of  employer's  proprietary 
information  upon  resignation.  * 

|  --  Please  Select  —  pj 

Purposely  mislabeling  the  sensitivity  of  emails  and/or  documents.  • 

[  --  Please  Select  - 

Purposely  violating  an  acceptable-use  policy  for  tools  and  technology.  * 

[  —  Please  Select  --  ^ 

Purposely  violating  a  known  security  policy.  * 

|  -  Please  Select  -- 

Purposely  accessing  the  organization’s  network  remotely  in  an  unauthorized  way.  * 

|  --  Please  Select  —  pj 

Purposely  transmitting  organizational  proprietary  information  externally  without 
authorization.  * 

|  --  Please  Select  --  ^ 

Purposely  committed  an  unauthorized  wiretap  on  their  organization's  conversations. 

(wiretap  =  intercepting  telephone  and  internet  communications  in  an  unauthorized  manner) 

[  —  Please  Select  —  ^ 

Purposely  disabled  security  controls  without  authorization.  * 

[  —  Please  Select  --  pj 

Purposely  plagiarizing  a  co-worker's  efforts.  * 

|  --  Please  Select  —  pj 

Purposely  posting  disgruntled  feelings  towards  their  organization  to  the  external  world 
(email,  social  media,  texts,  etc).  * 

|  -  Please  Select  —  w 

CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


44 


Appendix  D 


Positive  Incentive-Based  Principles  and  Practice  Areas 


Figure  28:  Taxonomy  of  Positive  Incentive  Workforce  Management 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  45 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


Fair  total 
compensation 


Fair  awards  and 
recognition 


Fair  task  assignment 
and  resourcing 


Establis j/values 

o  determine  alignmer 
^/iduals  with 


Needs  assessment 
group  to  develop  job  de. 
linked  to  mission 


reconditions 
nvolving  recruiting 
and  hiring  the  right 
sta 


Staff  feel  the  distribution  of 
resources  with  tl 

(distnj}«ffive  justice 


procedures  in  the  organization 


ocedurej^ 

n  employee  valuesjfecome 
ligned  with  orgajjiierfion  values 


Positive 


incentives  promotir 

. 

satisfaction,  performar 
and  retention 


Staff  c< 
coworkers  they  need 
to  work  with 


At-risk  /nsider 
behaviors  are  detected 
and  mitigated  to 
prevent  compromise 


Positive  incentives 
reducing  inside 
threat 


Imider  compron 

d.  thro  ugh 
negative  tncen^H 


ler  compi 

Tiro  ugh  other 
positive  incentives 


Staff  feel  the  org  is 

fair  and  equitable 


Staff  feel  the  org 
rewards  well 


Organizational 
Justice  (Fairness 


Fair  compliance  and  ethics 
reporting  procedures 

Fair  conflict  resolution  and 
grievance  procedures 

Fair  performance 
appraisals. 

Respectful  interpersonal 
treatment 


appropriate  for  individual's 
skills  and  abilities 


Transparent  criteria  for  promotions, 
rewards,  and  recognition 


Regular  employee 
orientation,  mentoring, 
expectation  setting 


Intra-and  inter-group  information 
provider 


,  Staff  feel  the  org 
communicates  well 


Staff  feel  that 
supervisors  support 
I  _  them  well 


Transparent 
and  Respectful 
Communication 


Professional 
and  Personal 
Supportiveness 


■Expanding  jr 

employee  strengths  and  interests 
with  potential  for  special  projects 


Level  of  autonomy 


m  Staff  feel  th 
working  con 
are  goc 


and 


Culture 
ind  Working 
Conditions  . 


Collaborative  work  projects  or 
job  rotation  for  those 
isted  in  other  areas 


ap&eGm 

petence 

Connectedness 

employee  special  requests  and  need: 


Helping  employees  struggling  with 
work  assignments  through  workload 
balancing  and  project  rightsizing 


Staff  Relations 


Compensation 
Staff  Time  Off  and  and  benefits 

Development  Leave 


Confidential  employee  assistance 
programs  providing  an  impartial  third- 
party  to  discuss  issues  both  personal 
and  professional 


Figure  29:  Positive  Incentive-Based  Practice  Areas 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


46 


Bibliography 


URLs  are  valid  as  of  the  publication  date  of  this  document. 

[Abas  2015] 

Abas,  C.;  Omar,  F.;  Halim,  F.  W.;  &  Hafidz,  S.  W.  M.  The  Mediating  Role  of  Organizational- 
Based  Self-Esteem  in  Perceived  Organizational  Support  and  Counterproductive  Work  Behaviour 
Relationship.  International  Journal  of  Business  and  Management.  Volume  10.  Number  9.  May  1, 
2015.  Page  99. 

[Adams  1963] 

Adams,  J.  S.  Towards  an  Understanding  of  Inequity.  The  Journal  of  Abnormal  and  Social  Psy¬ 
chology.  Volume  67.  Number  5.  November  1963.  Page  422. 

[Af sheen  2013] 

Afsheen,  Fatima;  Iqbal,  Muhammad  Zahid  &  Imran,  Rabia.  Organizational  Commitment  and 
Counterproductive  Work  Behavior:  Role  of  Employee  Empowerment.  Pages  665-679.  In  Pro¬ 
ceedings  of  the  Sixth  International  Conference  on  Management  Science  and  Engineering  Man¬ 
agement.  London.  2013.  http://link.springer.eom/chapter/10.1007%2F978-l-4471-4600-l_57 

[Aquino  2001] 

Aquino,  K.;  Tripp,  T.  M.;  &  Bies,  R.  J.  How  Employees  Respond  to  Personal  Offense:  the  Effects 
of  Blame  Attribution,  Victim  Status,  and  Offender  Status  on  Revenge  and  Reconciliation  in  the 
Workplace.  Journal  of  Applied  Psychology.  Volume  86.  Number  1.  February  2001.  Page  52. 

[Ariani  2013] 

Ariani,  D.  W.  The  Relationship  Between  Employee  Engagement,  Organizational  Citizenship  Be¬ 
havior,  and  Counterproductive  Work  Behavior.  International  Journal  of  Business  Administration. 
Volume  4.  Number  2.  March  1,  2013.  Page  46. 

[Baard  2004] 

Baard,  P.  P.;  Deri,  E.  L.  &  Ryan,  R.  M.  Intrinsic  Need  Satisfaction:  A  Motivational  Basis  of  Per¬ 
formance  and  Weil-Being  in  Two  Work  Settings.  Journal  of  Applied  Social  Psychology.  Volume 
34.  Number  10.  October  1,  2004.  Page  2045. 

[Babcock-Roberson  2010] 

Babcock-Roberson,  M.  E.  &  Strickland,  O.  J.  The  Relationship  Between  Charismatic  Leadership, 
Work  Engagement,  and  Organizational  Citizenship  Behaviors.  The  Journal  of  Psychology .  Vol¬ 
ume  144.  Number  3.  April  8,  2010.  Page  313. 

[Bakker  2007] 

Bakker,  A.  B.;  Hakanen,  J.  J.;  Demerouti,  E.  &  Xanthopoulou,  D.  Job  Resources  Boost  Work  En¬ 
gagement,  Particularly  When  Job  Demands  Are  High.  Journal  of  Educational  Psychology.  Vol¬ 
ume  99.  Number  2.  May  2007.  Page  274. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


47 


[Bakker  2008] 

Bakker,  A.  B.  &  Schaufeli,  W.  B.  Positive  Organizational  Behavior:  Engaged  Employees  in 
Flourishing  Organizations.  Journal  of  Organizational  Behavior.  Volume  29.  Number  2.  February 
1,  2008.  Page  147. 

[Biernacki  1981] 

Biernacki,  Patrick  &  Waldorf,  Dan.  Snowball  Sampling:  Problems  and  Techniques  of  Chain  Re¬ 
ferral  Sampling.  Sociological  Methods  and  Research.  Volume  10.  Number  2.  November  1,  1981. 
Page  141. 

[Bordia  2008] 

Bordia,  P.;  Restubog,  S.  L.  D.;  &  Tang,  R.  L.  When  Employees  Strike  Back:  Investigating  Mediat¬ 
ing  Mechanisms  Between  Psychological  Contract  Breach  and  Workplace  Deviance.  Journal  of  Ap¬ 
plied  Psychology.  Volume  93.  Number  5.  September  2008.  Page  1 104. 
http://psvcnet.apa.Org/iournals/apl/93/5/l  104/ 

[Bolino  2015] 

Bolino,  M.  C.  &  Klotz,  A.  C.  The  Paradox  of  the  Unethical  Organizational  Citizen:  The  Link  Be¬ 
tween  Organizational  Citizenship  Behavior  and  Unethical  Behavior  at  Work.  Current  Opinion  in 
Psychology.  Volume  6.  Number  45.  December  31,  2015.  Page  49. 

[Bowling  2011] 

Bowling,  N.  A.  &  Michel,  J.  S.  Why  Do  You  Treat  Me  Badly?  The  Role  of  Attributions  Regard¬ 
ing  the  Cause  of  Abuse  in  Subordinates'  Responses  to  Abusive  Supervision.  Work  &  Stress.  Vol¬ 
ume  25.  Number  4.  October  1,  201 1.  Page  309. 

[Brdiczka  2012] 

Brdiczka,  O.;  Liu,  Juan;  Price,  B.;  Shen,  Jianqiang;  Patil,  A.;  Chow,  R.;  Bart,  E.;  &  Ducheneaut, 
N.  Proactive  Insider  Threat  Detection  through  Graph  Learning  and  Psychological  Context.  Pages 
142-149.  In  2012  IEEE  Symposium  on  Security  and  Privacy  Workshops  (SPW).  San  Francisco, 
California.  May  24,  2010.  http://ieeexplore.ieee. org/xpls/abs_all.jsp?arnumber=6227698 

[Brien  2012] 

Brien,  Maryse;  Forest,  Jacques;  Mageau,  Genevieve  A.;  Boudrias,  Jean-Sebastien;  Desrumaux, 
Pascale;  Brunet,  Luc;  &  Morin,  Estelle  M.  The  Basic  Psychological  Needs  at  Work  Scale:  Meas¬ 
urement  Invariance  Between  Canada  and  France.  Applied  Psychology:  Health  and  Well-Being. 
Volume  4.  Number  2.  July  1,  2012.  Page  167. 

[Brown  2013] 

Brown,  Christopher  R.;  Watkins,  Alison;  &  Greitzer,  Frank  L.  Predicting  Insider  Threat  Risks 
Through  Linguistic  Analysis  of  Electronic  Communication.  Pages  1849-1858.  In  2013  46th  Ha¬ 
waii  International  Conference  on  System  Sciences  (HICSS).  Wailea,  Maui,  Hawaii.  January  7, 
2013.  http://ieeexplore.ieee. org/xpls/abs_all.jsp?arnumber=6480064 

[Buckingham  2009] 

Buckingham,  Marcus.  What  Great  Managers  Do.  The  Essential  Guide  to  Leadership.  Volume  99. 
2009. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


48 


[Bunn  2014] 

Bunn,  M.  &  Sagan,  S.D.  A  Worst  Practices  Guide  to  Insider  Threats:  Lessons  from  Past  Mistakes. 
American  Academy  of  Arts  and  Sciences.  2014.  ISBN  0-87724-097-3 
https://www.amacad.org/content/publications/publication.aspx?d=1425 

[Bushman  2001] 

Bushman,  B.  J.;  Baumeister,  R.  F.;  &  Phillips,  C.  M.  Do  People  Aggress  to  Improve  Their  Mood? 
Catharsis  Beliefs,  Affect  Regulation  Opportunity,  and  Aggressive  Responding.  Journal  of  Person¬ 
ality  and  Social  Psychology.  Volume  81.  Number  1.  July  2001.  Page  17. 
http://psycnet.apa.Org/journals/psp/81/l/17/ 

[Buss  1961] 

Buss,  A.  H.  The  Psychology  of  Aggression.  Wiley.  1961.  ISBN  978-0758104885. 
http://www.worldcat.org/title/psychology-of-aggression/oclc/204291 

[Cappelli  2012] 

Cappelli,  Dawn  M.;  Moore,  Andrew  P.;  &  Trzeciak,  Randall  F.  2012.  The  CERT  Guide  to  Insider 
Threats:  How  to  Prevent,  Detect,  and  Respond  to  Information  Technology  Crimes  (Theft,  Sabo¬ 
tage,  Fraud).  Addison-Wesley. 

[Cappelli  2009] 

Cappelli,  Dawn;  Moore,  Andrew;  Trzeciak,  Randall;  &  Shimeall,  Timothy  J.  Common  Sense 
Guide  to  Prevention  and  Detection  of  Insider  Threats  3rd  Edition  -  Version  3.1.  White  Paper. 
Software  Engineering  Institute,  Carnegie  Mellon  University.  2009. 
http://resources.sei. emu. edu/library/asset -view. cfm?assetid=50275. 

[Colbert  2004] 

Colbert,  A.  E.;  Mount,  M.  K.;  Harter,  J.  K.;  Witt,  L.  A.;  &  Barrick,  M.  R.  Interactive  Effects  of 
Personality  and  Perceptions  of  the  Work  Situation  on  Workplace  Deviance.  Journal  of  Applied 
Psychology.  Volume  89.  Number  4.  August  2004.  Page  599. 

[Colquitt  2001] 

Colquitt,  J.  A.;  Conlon,  D.  E.;  Wesson,  M.  J.;  Porter,  C.  O.;  &  Ng,  K.  Y.  Justice  at  the  Millen¬ 
nium:  a  Meta-Analytic  Review  of  25  Years  of  Organizational  Justice  Research.  Journal  of  Ap¬ 
plied  Psychology.  Volume  86.  Number  3.  June  2001.  Page  425. 

[CPNI  2014] 

Centre  for  the  Protection  of  National  Infrastructure  (CPNI).  Ongoing  Personnel  Security:  A  Good 
Practice  Guide  -  Edition  Three.  Center  for  the  Protection  of  the  National  Infrastructure.  2014. 
http://www.cpni.gov.uk/documents/publications/2014/13-november-2014-ops%20brief- 
ing%20sheet.pdf?epslanguage=en-gb 

[Cropanzano  1989] 

Cropanzano,  R.  &  Folger,  R.  Referent  Cognitions  and  Task  Decision  Autonomy:  Beyond  Equity 
Theory.  Journal  of  Applied  Psychology.  Volume  74.  Number  2.  April  1989.  Page  293. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


49 


[Dalai  2005] 

Dalai,  R.  S.  A  Meta-Analysis  of  the  Relationship  Between  Organizational  Citizenship  Behavior 
and  Counterproductive  Work  Behavior.  Journal  of  Applied  Psychology.  Volume  90.  Number  6. 
November  2005.  Page  1241. 

[De  Quervain  2004] 

De  Quervain,  D.  J.;  Fischbacher,  U.;  Treyer,  V.  &  Schellhammer,  M.  The  Neural  Basis  of  Altruis¬ 
tic  Punishment.  Science,  Volume  305.  Number  5688.  August  2004.  Page  1254. 

[DiCiccio  1996] 

DiCiccio,  TJ.  &  Efron,  B.  Bootstrap  confidence  intervals.  Statistical  Science.  JSTOR.  pp.  189- 
212. 1996. 

[DSS  2016] 

Defense  Security  Service  (DSS).  Roles  and  Responsibilities  for  Personnel  Security:  A  Guide  for 
Supervisors.  United  States:  Defense  Security  Service.  2016.  http://www.sec- 
nav.navy.mil/dusnp/Security/Personnel/Documents/Supv_Role_in_PerSecDec2010.pdf 

[Eisenberger  1986] 

Eisenberger,  R.;  Fluntington,  R.;  Hutchison,  S.;  &  Sowa,  D.  Perceived  Organizational  Support. 
Journal  of  Applied  Psychology.  Volume  71.  Number  3.  1986.  Page  500. 

[Eisenberger  1990] 

Eisenberger,  R.;  Fasolo,  P.;  &  Davis-LaMastro,  V.  (1990).  Perceived  organizational  support  and 
employee  diligence,  commitment,  and  innovation.  Journal  of  Applied  Psychology.  Volume  75. 
Pages  51-59.  http://classweb.uh.edu/eisenberger/wp-content/uploads/sites/21/2015/04/22_Per- 
ceived_Organizational_Support.pdf 

[Eisenberger  2011] 

Eisenberger,  R.  &  Stinglhamber,  F.  201 1.  Perceived  Organizational  Support:  Fostering  Enthusi¬ 
astic  and  Productive  Employees.  American  Psychological  Association.  ISBN  978-1-4338-0933-0. 
http://www.apa.org/pubs/books/4316128.aspx 

[Ferris  2009] 

Ferris,  D.  L.;  Brown,  D.  J.;  Lian,  H.;  &  Keeping,  L.  M.  When  Does  Self-Esteem  Relate  to  Deviant 
Behavior?  The  Role  of  Contingencies  of  Self-Worth.  Journal  of  Applied  Psychology.  Volume  94. 
Number  5.  September  2009.  Page  1345. 

[Folger  1996] 

Folger,  R.  &  Baron,  R.  A.  Violence  and  Hostility  at  Work:  A  Model  of  Reactions  to  Perceived  In¬ 
justice.  American  Psychological  Association.  1996. 

[Gagne  2005] 

Gagne,  M.  &  Deci,  E.  L.  Self-Determination  Theory  and  Work  Motivation.  Journal  of  Organiza¬ 
tional  Behavior.  Volume  26.  Number  4.  June  2005.  Page  331. 
http://onlinelibrary.wiley.com/doi/10.1002/job.322/full 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


50 


[Gallup  2013] 

Gallup.  State  of  the  American  Workplace:  Employee  Engagement  Insights  for  U.S.  Business  Lead¬ 
ers.  Gallup.  2013.  http://www.gallup.com/services/178514/state-american-workplace.aspx 

[GAO  2015] 

Government  Accountability  Office  (GAO).  Insider  Threats:  DOD  Should  Strengthen  Manage¬ 
ment  and  Guidance  to  Protect  Classified  Information  and  Systems.  GAO-15-544.  U.S.  Govern¬ 
ment  Accountability  Office.  2015.  http://www.gao.gov/assets/680/670570.pdf 

[Greenberg  1998] 

Greenberg,  J.  &  Alge,  B.  J.  Aggressive  Reactions  to  Workplace  Injustice.  Elsevier  Science/JAI 
Press.  1998. 

[Greenhaus  2006] 

Greenhaus,  J.  H.  &  Powell,  G.  N.  When  Work  and  Family  Are  Allies:  A  Theory  of  Work-Family 
Enrichment.  Academy  of  Management  Review.  Volume  31.  Number  1.  January  2006.  Page  72. 

[Greitzer  2010] 

Greitzer,  Frank  F.  &  Frincke,  Deborah  A.  Combining  Traditional  Cyber  Security  Audit  Data  with 
Psychosocial  Data:  Towards  Predictive  Modeling  for  Insider  Threat  Mitigation.  In  Insider  Threats 
in  Cyber  Security,  Christian  W.  Probst,  Jeffrey  Hunker,  Dieter  Gollmann,  and  Matt  Bishop  [edi¬ 
tors].  Springer.  Pages  85-113.  2010.  http://link.springer.com/chapter/10.1007/978-l-4419-7133- 
3_5 

[Guess  2004] 

Guess,  C.  Dominik.  Decision  Making  in  Individualistic  and  Collectivistic  Cultures.  Online  Read¬ 
ings  in  Psychology  and  Culture.  Volume  4.  Number  1.  2004. 
http://dx.doi.org/10.9707/2307-0919.1032 

[Hakanen  2005] 

Hakanen,  J.  J.;  Bakker,  A.  B.;  &  Demerouti,  E.  How  Dentists  Cope  with  Their  Job  Demands  and 
Stay  Engaged:  The  Moderating  Role  of  Job  Resources.  European  Journal  of  Oral  Sciences.  Vol¬ 
ume  1 13.  Number  6.  December  2005.  Page  479. 

[Hall  1976] 

Hall,  Edward  T.  Beyond  Culture.  Anchor  Books.  1976.  ISBN  978-0385124744. 

[Halvorson  2013] 

Halvorson,  H.  G.  &  Higgins,  E.  T.  Focus:  Use  Different  Ways  of  Seeing  the  World  to  Power  Suc¬ 
cess  and  Influence.  Plume.  2013.  ISBN  978-0142180730. 

[Jantti  2012] 

Jantti,  Margie  &  Greenhalgh,  Nick.  Leadership  Competencies:  a  Reference  Point  for  Develop¬ 
ment  and  Evaluation.  Library  Management.  Volume  33.  Number  6/7.  July  2012.  Page  421. 

[Jermier  1994] 

Jermier,  J.  M.;  Knights,  D.  E.;  &  Nord,  W.  R.  Resistance  and  Power  in  Organizations.  Cengage 
Learning  EMEA.  1994.  ISBN  978-0415117944. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


51 


[Kim  1998] 

Kim,  S.  H.;  Smith,  R.  H.;  &  Brigham,  N.  L.  Effects  of  Power  Imbalance  and  the  Presence  of  Third 
Parties  on  Reactions  to  Harm:  Upward  and  Downward  Revenge.  Personality  and  Social  Psychol¬ 
ogy  Bulletin.  Volume  24.  Number  4.  April  1998.  Page  353. 
http://psp.sagepub.eom/content/24/4/353.short 

[Konovsky 1994] 

Konovsky,  M.  A.  &  Pugh,  S.  D.  Citizenship  Behavior  and  Social  Exchange.  Academy  of  Manage¬ 
ment  Journal.  Volume  37.  Number  3.  June  1994.  Page  656. 

[Krischer  2010] 

Krischer,  M.  M.;  Penney,  L.  M.;  &  Hunter,  E.  M.  Can  Counterproductive  Work  Behaviors  Be 
Productive?  CWB  as  Emotion-Focused  Coping.  Journal  of  Occupational  Health  Psychology. 
Volume  15.  Number  2.  April  2010.  Page  154. 

[Kurtessis  2015] 

Kurtessis,  J.  N.;  Eisenberger,  R.;  Ford,  M.  T.;  Buffardi,  L.  C.;  Stewart,  K.  A.;  &  Adis,  C.  S.  Per¬ 
ceived  Organizational  Support:  a  Meta-Analytic  Evaluation  of  Organizational  Support  Theory. 
Journal  of  Management.  March  2015. 

http://jom.sagepub.com/content/early/2015/03/12/0149206315575554.abstract 

[LePine  2002] 

LePine,  J.  A.;  Erez,  A.;  &  Johnson,  D.  E.  The  Nature  and  Dimensionality  of  Organizational  Citi¬ 
zenship  Behavior:  a  Critical  Review  and  Meta- Analysis.  Journal  of  Applied  Psychology.  Volume 
87.  Number  1.  February  2002.  Page  52. 

[Levy  201 3] 

Levy,  P.  Industrial/Organizational  Psychology:  Understanding  the  Workplace.  Worth  Publishers. 
2013.  ASIN  B00HTK33PS. 

[Luthans  2008] 

Luthans,  F.;  Norman,  S.  M.;  Avolio,  B.  J.;  &  Avey,  J.  B.  The  Mediating  Role  of  Psychological 
Capital  in  the  Supportive  Organizational  Climate — Employee  Performance  Relationship.  Journal 
of  Organizational  Behavior.  Volume  29.  Number  2.  February  2008.  Page  219. 

[Magnani  2005] 

Magnani,  R.;  Sabin,  K.;  Saidel,  T.;  &  Heckathorn,  D.  Review  of  Sampling  Hard-to-Reach  and 
Hidden  Populations  for  HIV  Surveillance.  Aids.  Volume  19.  May  2005.  Page  S67.  http://jour- 
nals. lww.com/aidsonline/Abstract/2005/05002/Review_of_sampling_hard_to_reach_and_hid- 
den.9.aspx 

[Malone  2012] 

Malone,  Glenn  P.;  Pillow,  David  R.;  &  Osman,  Augustine.  The  General  Belongingness  Scale 
(GBS):  Assessing  Achieved  Belongingness.  Personality  and  Individual  Differences.  Volume  52. 
Number  3.  February  2012.  Page  311. 

http://www.sciencedirect.com/science/article/pii/S019188691 100482X 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


52 


[Mauno  2007] 

Mauno,  S.;  Kinnunen,  U.  &  Ruokolainen,  M.  Job  Demands  and  Resources  as  Antecedents  of 
Work  Engagement:  A  Longitudinal  Study.  Journal  of  Vocational  Behavior.  Volume  70.  Number 
1.  February  2007.  Page  149. 

[Meyer  2013] 

Meyer,  John  P.  The  Science-Practice  Gap  and  Employee  Engagement:  It’s  a  Matter  of  Principle. 
Canadian  Psychology/Psychologie  Canadienne.  Volume  54.  Number  4.  November  2013.  Page 
235. 

[Mitchell  2007] 

Mitchell,  M.  S.  &  Ambrose,  M.  L.  Abusive  Supervision  and  Workplace  Deviance  and  the  Moder¬ 
ating  Effects  of  Negative  Reciprocity  Beliefs.  Journal  of  Applied  Psychology.  Volume  92.  Num¬ 
ber  4.  July  2007.  Page  1 159. 

[Moore  2016] 

Moore,  A.P.;  Kennedy,  K.;  &  Dover,  T.  Introduction  to  the  Special  Issue  on  Insider  Threat  Mod¬ 
eling  and  Simulation.  Journal  on  Computational  and  Mathematical  Organization  Theory,  Sep¬ 
tember  2016. 

[Moore  2015] 

Moore,  A.P.;  Novak,  W.E.;  Collins,  M.L.;  Trzeciak,  R.F.;  &  Theis,  M.C.  Effective  Insider  Threat 
Programs:  Understanding  and  Avoiding  Potential  Pitfalls.  White  paper.  Software  Engineering 
Institute,  2015. 

[Moorman  1991] 

Moorman,  R.  H.  Relationship  Between  Organizational  Justice  and  Organizational  Citizenship  Be¬ 
haviors:  Do  Fairness  Perceptions  Influence  Employee  Citizenship?  Journal  of  Applied  Psychol¬ 
ogy.  Volume  76.  Number  6.  December  1991.  Page  845. 

[Moorman  1998] 

Moorman,  R.  H.;  Blakely,  G.  L.;  &  Niehoff,  B.  P.  Does  Perceived  Organizational  Support  Medi¬ 
ate  the  Relationship  Between  Procedural  Justice  and  Organizational  Citizenship  Behavior?  Acad¬ 
emy  of  Management  Journal.  Volume  41.  Number  3.  June  1998.  Page  351. 
http://amj.aom.Org/content/41/3/351.short 

[Muse  2008] 

Muse,  L.;  Harris,  S.  G.;  Giles,  W.  F.  &  Feild,  H.  S.  Work-Life  Benefits  and  Positive  Organiza¬ 
tional  Behavior:  Is  There  a  Connection?  Journal  of  Organizational  Behavior.  Volume  29.  Num¬ 
ber  2.  February  2008.  Page  171.  http://onlinelibrary.wiley.com/doi/10.1002/job.506/full 

[Niehoff  1993] 

Niehoff,  B.  P.  &  Moorman,  R.  H.  Justice  as  a  Mediator  of  the  Relationship  Between  Methods  of 
Monitoring  and  Organizational  Citizenship  Behavior.  Academy  of  Management  Journal.  Volume 
36.  Number  3.  June  1993.  Page  527.  http://amj.aom.Org/content/36/3/527.short 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


53 


[Neuman  2005] 

Neuman,  J.  H.  &  Baron,  R.  A.  Aggression  in  the  Workplace:  A  Social-Psychological  Perspective. 
Counterproductive  Work  Behavior:  Investigations  of  Actors  and  Targets.  Volume  7.  2005.  Page 
13.  https://www.researchgate.net/profile/Joel_Neuman/publication/232493951_Aggres- 
sion_in_the_Workplace_A_Social-Psychological_Perspec- 
tive/links/564bfc  If08ae4ae893b8 1 883.pdf 

[Nye  2011] 

Nye,  Joseph  S.  The  Future  of  Power.  Public  Affairs.  2011.  ISBN  978-1610390699. 

[OPM  2015] 

Office  of  Personnel  Management  (OPM).  Federal  Employee  Viewpoint  Survey  Results:  Employ¬ 
ees  Influencing  Change.  U.S.  Office  of  Personnel  Management.  2015. 
https://www.fedview.opm.gov/20 1 5/ 

[Organ  1 988] 

Organ,  D.  W.  Organizational  Citizenship  Behavior:  The  Good  Soldier  Syndrome.  Lexington 
Books.  1988.  ISBN  978-06691 17882. 

[Pink  2011] 

Pink,  Daniel  H.  Drive:  The  Surprising  Truth  About  What  Motivates  Us.  Riverhead  Books.  2011. 
ISBN  978-1594484803.  http://www.danpink.com/books/drive/ 

[Restubog  2011] 

Restubog,  S.  L.  D.;  Scott,  K.  L.;  &  Zagenczyk,  T.  J.  When  Distress  Hits  Home:  The  Role  of  Con¬ 
textual  Factors  and  Psychological  Distress  in  Predicting  Employees'  Responses  to  Abusive  Super¬ 
vision.  Journal  of  Applied  Psychology.  Volume  96.  Number  4.  July  2011.  Page  713. 

[Restubog  2015] 

Restubog,  Simon  Lloyd  D.;  Zagenczyk,  Thomas  J.;  Bordia,  Prashant;  Bordia,  Sarbari;  &  Chap¬ 
man,  Georgia  J.  If  You  Wrong  Us,  Shall  We  Not  Revenge?  Moderating  Roles  of  Self-Control  and 
Perceived  Aggressive  Work  Culture  in  Predicting  Responses  to  Psychological  Contract  Breach. 
Journal  of  Management.  Volume  41.  Number  4.  May  2015.  Page  1132. 
http://jom.sagepub.eom/content/41/4/l  132. short 

[Rhoades  2001] 

Rhoades,  L.;  Eisenberger,  R.;  &  Armeli,  S.  Affective  Commitment  to  the  Organization:  the  Con¬ 
tribution  of  Perceived  Organizational  Support.  Journal  of  Applied  Psychology.  Volume  86.  Num¬ 
ber  5.  October  2001.  Page  825. 

[Rhoades  2002] 

Rhoades,  L.  &  Eisenberger,  R.  Perceived  Organizational  Support:  a  Review  of  the  Literature. 
Journal  of  Applied  Psychology.  Volume  87.  Number  4.  August  2002.  Page  698. 

[Rich  2010] 

Rich,  B.  L.;  Lepine,  J.  A.;  &  Crawford,  E.  R.  Job  Engagement:  Antecedents  and  Effects  on  Job 
Performance.  Academy  of  Management  Journal.  Volume  53.  Number  3.  June  2010.  Page  617. 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


54 


[Rousseau  1995] 

Rousseau,  Denise.  Psychological  Contracts  in  Organizations:  Understanding  Written  and  Un¬ 
written  Agreements.  Sage  Publications.  1995.  ISBN  978-0803971042. 
https://us.sagepub.com/en-us/nam/psychological-contracts-in-organizations/book5077 

[Saks  2006] 

Saks,  A.  M.  Antecedents  and  Consequences  of  Employee  Engagement.  Journal  of  Managerial 
Psychology.  Volume  21.  Number  7.  October  2006.  Page  600. 

[Salem  2008] 

Salem,  Malek  Ben;  Hershkop,  Shlomo;  &  Stolfo,  Salvatore  J.  A  Survey  of  Insider  Attack  Detec¬ 
tion  Research.  In  Insider  Attack  and  Cyber  Security.  Salvatore  J.  Stolfo,  Steven  M.  Bellovin,  An¬ 
gelos  D.  Keromytis,  Shlomo  Hershkop,  Sean  W.  Smith,  and  Sara  Sinclair  [editors]  Springer  Pages 
69-90.  2008 .  http  ://link. springer.com/chapter/ 10.1 007/978-0-387-77322-3_5 . 

[Sarbin  1994] 

Sarbin,  T.R.;  Carney,  R.M.;  &  Eoyang,  C.  Citizen  Espionage:  Studies  in  Trust  and  Betrayal.  Prae- 
ger.  1994.  ISBN  978-0275947521. 

http://www.abc-clio.com/ABC-CLIOCorporate/product.aspx?pc=C3951C 

[Schaufeli  2004a] 

Schaufeli,  Wilmar  B.  &  Bakker,  Arnold  B.  Utrecht  Work  Engagement  Scale:  Preliminary  Manual. 
Occupational  Health  Psychology  Unit,  Utrecht  University.  2004.  http://www.wilmarschau- 
feli.nl/publications/Schaufeli/Test%20Manuals/Test_manual_UWES_English.pdf 

[Schaufeli  2004b] 

[Schaufeli,  W.  B.  &  Bakker,  A.  B.  Job  Demands,  Job  Resources,  and  Their  Relationship  with 
Burnout  and  Engagement:  A  Multi-Sample  Study.  Journal  of  Organizational  Behavior.  Volume 
25.  Number  3.  May  2004.  Page  293.  http://onlinelibrary.wiley.com/doi/10.1002/job.248/full 

[Schaufeli  2006] 

Schaufeli,  Wilmar  B.;  Bakker,  Arnold  B.;  &  Salanova,  Marisa.  The  Measurement  of  Work  En¬ 
gagement  with  a  Short  Questionnaire  a  Cross-National  Study.  Educational  and  Psychological 
Measurement.  Volume  66.  Number  4.  August  2006.  Page  701.  http://epm.sagepub.com/con- 
tent/ 66/4/7 0 1 .  short 

[Seligman  2012] 

Seligman,  Martin  E.  P.  Flourish:  A  Visionary  New  Understanding  of  Happiness  and  Well-Being. 
Reprint  Edition.  Atria  Books.  2012.  ISBN  978-1439190760. 

http://www.simonandschuster.com/books/Flourish/Martin-E-P-Seligman/9781439190760 

[Shadish  2002] 

Shadish,  W.  R.;  Cook,  T.  D.;  &  Campbell,  D.  T.  Experimental  and  Quasi-Experimental  Designs 
for  Generalized  Causal  Inference.  Wadsworth  Cengage  Learning.  2002.  ISBN  978-0395615560. 
http://www.cengage.com/search/productOver- 

view.do?N=  16+429494678  l&Ntk=P_EPI&Ntt=2047527565408989632416783915204677283& 
Ntx=mode%2Bmatchallpartial 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


55 


[Shantz  2014] 

Shantz,  A.;  Alfes,  K.;  &  Latham,  G.  P.  The  Buffering  Effect  of  Perceived  Organizational  Support 
on  the  Relationship  Between  Work  Engagement  and  Behavioral  Outcomes.  Human  Resource 
Management.  December  2014. 

[Shore  1993] 

Shore,  L.  M.  &  Wayne,  S.  J.  Commitment  and  Employee  Behavior:  Comparison  of  Affective 
Commitment  and  Continuance  Commitment  with  Perceived  Organizational  Support.  Journal  of 
Applied  Psychology.  Volume  78.  Number  5.  October  1993.  Page  774. 

[Shoss  2013] 

Shoss,  Mindy  K.;  Eisenberger,  Robert;  Restubog,  Simon  Lloyd  D.;  &  Zagenczyk,  Thomas  J. 
Blaming  the  organization  for  abusive  supervision:  The  Roles  of  Perceived  Organizational  Support 
and  Supervisor’s  Organizational  Embodiment.  Journal  of  Applied  Psychology.  Volume  98.  Num¬ 
ber  1.  January  2013.  Page  158. 

[Simpson  2009] 

Simpson,  M.  R.  Engagement  at  Work:  A  Review  of  the  Literature.  International  Journal  of  Nurs¬ 
ing  Studies.  Volume  46.  Number  7.  July  2009.  Page  1012. 

[Skarlicki  1997] 

Skarlicki,  D.  P.  &  Folger,  R.  Retaliation  in  the  Workplace:  The  Roles  of  distributive,  procedural, 
and  Interactional  Justice.  Journal  of  Applied  Psychology.  Volume  82.  Number  3.  June  1997.  Page 
434. 

[Smither  2009] 

Smither,  James  W.  &  Manuel  London,  eds.  Performance  Management:  Putting  Research  into  Ac¬ 
tion.  First  Edition.  Wiley.  2009.  ISBN  978-0470192320. 
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470 192321.html 

[Sonnentag  2003] 

Sonnentag,  S.  Recovery,  Work  Engagement,  and  Proactive  Behavior:  a  New  Look  at  the  Interface 
Between  Nonwork  and  Work.  Journal  of  Applied  Psychology.  Volume  88.  Number  3.  June  2003. 
Page  518. 

[Spreen  1992] 

Spreen  M.  Rare  Populations,  Hidden  Populations,  and  Link-Tracing  Designs:  What  and 

Why?  Bulletin  de  Methodologie  Sociologique.  Volume  36.  Number  1.  September  1992.  Page  34. 

http://bms.sagepub.eom/content/36/l/34.short 

[Sudman  1986] 

Sudman,  Seymour  &  Kalton,  Graham.  New  Developments  in  the  Sampling  of  Special  Popula¬ 
tions.  Annual  Review  of  Sociology .  1986.  Page  401. 
http://www.jstor.org/stable/2083209?seq=l#page_scan_tab_contents 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


56 


[Sulea  2012] 

Sulea,  C.;  Virga,  D.;  Maricutoiu,  L.  P.;  Schaufeli,  W.;  Dumitru,  C.  Z.;  &  Sava,  F.  A.  Work  En¬ 
gagement  as  Mediator  Between  Job  Characteristics  and  Positive  and  Negative  Extra-Role  Behav¬ 
iors.  Career  Development  International.  Volume  17.  Number  3.  June  2012.  Page  188. 
http://www.emeraldinsight.com/doi/full/ 10.1 108/1362043 1211241 054 

[Tang  1998] 

Tang,  T.  L.  P.  &  Ibrahim,  A.  H.  S.  Antecedents  of  Organizational  Citizenship  Behavior  Revisited: 
Public  Personnel  in  the  United  States  and  in  the  Middle  East.  Public  Personnel  Management.  Vol¬ 
ume  27.  Number  4.  December  1998.  Page  529.  http://ppm.sagepub.eom/content/27/4/529.short 

[Theoharidou  2005] 

Theoharidou,  M.,  Kokolakis,  S.;  Karyda,  M.;  &  Kiountouzis,  E.  The  Insider  Threat  to  Information 
Systems  and  the  Effectiveness  of  ISO  17799.  Computers  &  Security.  Volume  24.  Number  6.  Sep¬ 
tember  2005.  Page  472.  http://www.sciencedirect.eom/science/artide/pii/S0167404805000684 

[van  Buuren  2012] 

van  Buuren,  S.  Flexible  Imputation  of  Missing  Data.  Chapman  &  Hall/CRC.  Boca  Raton,  FL. 
2012. 

[van  Buuren  2011] 

van  Buuren,  S.  &  Groothuis-Oudshoorn,  K.  MICE:  Multivariate  Imputation  by  Chained  Equations 
in  R.  Journal  of  Statistical  Software.  Volume  45.  Number  3.  2011.  Pages  1-67.  http://www.jst- 
atsoft.org/v45/i03/ 

[Vermunt  2005] 

Vermunt,  R.  &  Steensma,  H.  How  Can  Justice  Be  Used  to  Manage  Stress  in  Organizations? 
Handbook  of  Organizational  Justice  (ISBN  978-0805842036).  2005.  Pages  383-410. 

[Wayne  1997] 

Wayne,  S.  J.;  Shore,  L.  M.;  &  Liden,  R.  C.  Perceived  Organizational  Support  and  Leader-Member 
Exchange:  A  Social  Exchange  Perspective.  Academy  Of  Management  Journal.  Volume  40.  Num¬ 
ber  1.  February  1997.  Page  82.  http://amj.aom.Org/content/40/l/82.short 

[Westman  2001] 

Westman,  M.  &  Etzion,  D.  The  Impact  of  Vacation  and  Job  Stress  on  Burnout  and  Absenteeism. 
Psychology  &  Health.  Volume  16.  Number  5.  September  2001.  Page  595. 

[Whitney  2010] 

Whitney,  Diana  D.  &  Trosten-Bloom,  Amanda.  The  Power  of  Appreciative  Inquiry:  A  Practical 
Guide  to  Positive  Change.  Berrett-Koehler  Publishers.  2010.  ISBN  978-1605093284. 

[Willison  2009] 

Willison,  Robert  &  Siponen,  Mikko.  Overcoming  the  Insider:  Reducing  Employee  Computer 
Crime  Through  Situational  Crime  Prevention.  Communications  of  the  ACM.  Volume  52.  Number 
9.  September  2009.  Page  133.  http://dl.acm.org/citation.cfm7ktl562198 


CMU/SEI-2016-TR-014  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


57 


REPORT  DOCUMENTATION  PAGE 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  search¬ 
ing  existing  data  sources,  gathering  and  maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regard¬ 
ing  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information,  including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters 
Services,  Directorate  for  information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington,  VA  22202-4302,  and  to  the  Office  of 
Management  and  Budget,  Paperwork  Reduction  Project  (0704-0188),  Washington,  DC  20503. 

1,  AGENCY  USE  ONLY 

(Leave  Blank) 

2.  REPORT  DATE 

December  2016 

3.  REPORT  TYPE  AND  DATES 

COVERED 

Final 

4.  TITLE  AND  SUBTITLE 

The  Critical  Role  of  Positive  Incentives  for  Reducing  InsiderThreats 

5.  FUNDING  NUMBERS 

FA8721-05-C-0003 

6.  AUTHOR(S) 

Andrew  P.  Moore,  Samuel  J .  Perl,  J  ennifer Cowley,  Matthew  L.  Collins,  Tracy  M.  Cassidy,  Nathan  VanHoudnos,  Palma  Buttles,  Daniel 
Bauer,  Allison  Parshall,  J  eff  Savinda,  Elizabeth  A.  Monaco,  Jamie  L.  Moyes,  &  Denise  M.  Rousseau 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Software  Engineering  Institute 

Carnegie  Mellon  University 

Pittsburgh,  PA  15213 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

CMU/SEI-2016-TR-014 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

AFLCMC/PZE/Hanscom 

Enterprise  Acquisition  Division 

20  Schilling  Circle 

Building  1305 

Hanscom  AFB,  MA  01731-2116 

10.  SPONSORING/MONITORING 

AGENCY  REPORT  NUMBER 

n/a 

11.  SUPPLEMENTARY  NOTES 

12A  DISTRIBUTION/AVAILABILITY  STATEMENT 

Unclassified/Unlimited,  DTIC,  NTIS 

12b  distribution  code 

13.  ABSTRACT  (MAXIMUM  200  WORDS) 

Traditional  insider  threat  practices  involve  negative  incentives  that  attempt  to  force  employees  to  act  in  the  interests  of  the  organization 
and,  when  relied  on  excessively,  can  result  in  negative  unintended  consequences  that  exacerbate  insider  threats.  Positive  incentives 
that  attempt  to  encourage  employees  to  act  in  the  interests  of  the  organization  can  complement  negative  incentives.  In  our  research,  we 
identified  and  analyzed  three  avenues  foraligning  the  interests  of  the  employee  and  the  organization:  job  engagement,  perceived  organ¬ 
izational  support,  and  connectedness  with  co-workers.  Based  on  an  analysis  of  three  insider  threat  incidents  and  an  exploratory  survey 
of  organizations,  we  developed  a  model  of  the  disgruntled  insider  threat  problem  as  it  relates  to  dissatisfaction  with  the  employing  organ¬ 
ization  and  the  potential  benefits  associated  with  positive  incentives  that  improve  perceived  organizational  support  and  justice.  To  help 
organizations  understand  their  options  for  using  positive  incentives  as  part  of  their  insider  threat  program,  we  outline  workforce  manage¬ 
ment  practices  to  improve  employees' feelings  of  being  supported  by  the  organization.  This  research  is  a  first  step  toward  creating  a 
well-grounded  foundation  on  which  insider  threat  programs  can  establish  a  more  balanced  and  effective  means  of  reducing  insider 
threats,  one  that  is  a  net  positive  for  both  the  employee  and  the  organization. 

14.  SUBJ  ECTTERMS  15.  NUMBER  OF  PAGES 

Insider  threat  incentives,  insider  threat  incidents,  positive  incentives,  negative  incentives,  in-  66 

sider  threat  program 

16.  PRICE  CODE 


17.  SECURITY  CLASSIFICATION  OF 

18.  SECURITY  CLASSIFICATION 

19.  SECURITY  CLASSIFICATION 

20.  LIMITATION  OF 

REPORT 

OF  THIS  PAGE 

OF  ABSTRACT 

ABSTRACT 

Unclassified 

Unclassified 

Unclassified 

UL 

NSN  7540-01-280-5500 

Standard  Form  298  (Rev.  2-89)  Prescribed  by  ANSI  Std.  Z39-18 
298-102 

